AD/A-006  411 


DIGITAL  FLIGHT  CONTROL  SYSTEM 
REDUNDANCY  STUDY 

John  McGough,  et  al 

Bendix  Corporation 


Prepared  for: 

Air  Force  Flight  Dynamics  Laboratory 


July  1974 


DISTRIBUTED  BY: 


National  Technical  Infonnation  Service 
U.  S.  DEPARTMENT  OF  COMMERCE 


NOTICE 


When  Government  drawings,  specifications,  or  other  data  are  used  for  any 
purpose  other  than  in  connection  with  a definitely  related  Government  procurement 
operation,  the  United  States  Government  thereby  Incurs  no  responsibility  nor  any 
obligation  whatsoever;  and  the  fact  that  the  government  may  have  formulated, 
furnished,  or  in  any  way  supplied  the  said  drawings,  specifications,  or  other 
data,  is  not  to  be  regarded  by  implication  or  otherwise  as  in  any  manner 
licensing  the  holder  or  any  other  person  or  corporation,  or  conveying  any  rights 
or  permission  to  manufacture,  use,  or  sell  any  patented  invention  that  may  in 
any  way  be  related  thereto. 

This  report  has  been  reviewed  and  cleared  for  open  publication  and/or 
public  release  by  the  appropriate  Office  of  Information  (01),  in  accordance 
with  AFR  190-17  and  DODD  5230.9.  There  is  no  objection  to  unlimited  dis- 
tribution of  this  report  to  the  public  at  large,  or  by  DDC  to  the  National 
Technical  Information  Service. 

This  technical  report  has  been  reviewed  and  is  approved  for  publication. 
DANIEL  K.  BIRD 

Project  Engineer/Technical  Monitor 
FOR  THE  COMMANDER 

PAUL  E.  BLATT 
Chief 

Control  Systems  Development  Branch 
Flight  Control  Division 

Copies  of  this  report  should  not  be  returned  unless  return  is  required  by 
security  considerations,  contractual  obligations,  or  notice  on  a specific 
document . 


AIR  FORCE/56780/J1  Ftbrutry  1975  - 300 


UNCLASSIFIED 


SECURITY  CLASSIFICATION  OF  THIS  RAGE  (Wh^n  Dmtm  Enffd) 


1 REPORT  DOCUMENTATION  PAGE 

READ  INSTRUCTIONS 
BEFORE  COMPLETING  FORM 

1.  REPORT  NUMBER 

AFFDL-TR-74-83 

2.  GOVT  ACCESSION  NO. 

3.  JIECIPIENT’S  catalog  number.  1 

4 TITLE  r«n<t  6u6llrl«; 

Digital  Flight  Control  System 
Redundancy  Study 

5 type  of  report  4 PERIOD  COVERED 
Final 

March  1973  - Mav  1974 

6.  PERFORMING  ORC  REPORT  NUMBER 

Technical  Prop.  AP733 

1 AUTHORfAj 

John  McGough  Walter  Platt 

Kurt  Moses  Gibson  Reynolds 

John  Strole 

a CONTRACT  OR  GRANT  NUMBERr*) 

F33615-73-C-3035 

9 PERrORMINO  ORGANIZATION  NAME  AND  ADDRESS 

Bendlx  Corporation 
Flight  Systems  Division 
Teterboro,  New  Jersey  07608 

10  PROGRAM  ELEMENT  PROJECT,  TASK 
AREA  A WORK  UNIT  NUMBERS 

62201F 

1987-01-32 

11  CONTROLLING  OFFICE  NAME  AND  ADDRESS 

Air  Force  Flight  Dynamics  Laboratory 
Air  Force  Systems  Command 
United  States  Air  Force 
Wrlght-Patterson  AFB.  Ohio  45433 

»2  report  date 
July  1974 

13.  NUMBER  OF  PAGES  , / y 

Ml 

14  monitoring  AGEN^  ,•  NAME  4 AODRESSC/f  dll'arant  Itom  ControlUnt  Ollua) 

15  SeCU^ilTV  ClAS^.  (of  thie  report) 

UNCLASSIFIED 

IS*  DECLA^:  fjCATlON  DOWNGRADING 

schedule 

l«  DISTRIBUTION  STATEMENT  (of  thit  Roport) 


Approved  for  public  release;  distribution  unlimited 


17.  DISTRIBUTION  STATEMENT  (of  tho  mbttfoct  ent^rod  in  Block  20,  It  dIUorent  from  Roport) 


18.  supplementary  NOTES 


19  KEY  WORDS  (Continuo  on  rovoroo  tido  if  trocos^mry  «nd  Identify  by  block  numbor) 

Flight  Control  Systems  Failure  Detection 

Fly-by-Wlre  Self-Test 

Redundancy  Software 

Digital  Test  Validation 

Reliability 

20  ABSTRACT  (Continue  on  roverte  eld*  If  n*c**»*ry  and  Identify  by  block  number) 

Redundancy  requirements  and  trade-off  criteria  are  established  for  flight 
critical  digital  flight  control  systems  with  particular  emphasis  on  the  fly- 
by-wire application.  The  use  of  general  purpose  digital  computers  is 
considered,  with  self-test  and  cross-channel  comparison  monitoring  techniquec 
to  obtain  the  necessary  flight  safety  reliability.  A reliability  model  is 
presented  which  includes  the  effects  ot  detected  and  undetected  failures  and 
provides  a basis  for  establishing  in-flight  and  preflight  test-  coverage 

DD  1473  EDITION  or  ' NOV  65  IS  OBSOLETE  *' 


SECURITY  CLASSIFIC*T|ON  OF  THIS  PAGE  Otjion  Dal,  Enia,  -d) 


UNCLASSIFIE] 

StCuWITY  CLAIWFICATIOM  OF  THIS  PAOg(1Wi«n  Dla  fciffK? 

20.  ABSTRACT 

requirements  consistent  with  a given  reliability  goal. 

System  characteristics  that  are  pertinent  to  flight  safety  are  discussed 
In  detail.  Among  these  arc  signal  selection  and  cross~strapplng,  software, 
self-test,  secondary  actuator  characteristics,  digital  computer  architecture 
and  I/O  organization,  equalization,  multiplex  communications,  synchronization 
and  test  validation  requirements. 


ICL 


UNCLASSIFIED 

security  classification  of  this  PAOEfWnn  Oal*  Enfrtd) 


FOREWORD 


This  document  is  the  final  report  on  a study  entitled, 
"Digital  Flight  Control  System  Redundancy  Study".  The  work 
was  performed  from  March,  1973,  to  May,  1974,  by  the  Flight 
Systems  Division  of  The  Bendix  Corporation,  Teterboro,  New 
Jersey  under  Air  Force  Contract  No.  333615-73-C-3035  APFDL. 

The  work  was  administered  under  the  direction  of  the 
Air  Force  Flight  Dynamics  Laboratory,  Wright~Patterson  Air 
Force  Base,  Ohio,  45433,  by  Mr.  D.  Bird,  Program  Manager. 

The  principal  cdtributors  to  thi^  study,  which  was 
made  under  the  direction  of  John  McGough,  Senior  Engineer, 
are:  Kurt  Moses,  Assitant  Chief  Engineer,  Walter  Platt, 
Assistant  Chief  Engineer,  Gibson  Reynolds,  Senior  Engineer, 
and  John  Strole,  Senior  Engineer,  all  of  the  Flight  Systems 
Group  of  the  Bendix  Plight  Systems  Division. 

This  manuscript  was  released  by  the  authors  in  July, 


r 


TABLE  OF  CONTENTS 


SECTION 

PAGE 

1 

INTRODUCTION 

1 

2 

SU<4MARY 

3 

3 

EVALUATION  CRITERIA  FOR  REDUN- 

DANCY STUDIES 

5 

1. 

Design  Goals  Established 

5 

2. 

Inflight  and  Preflight  Test  Coverage 

Defined 

10 

3. 

Latent  Failures 

16 

4. 

Alternate  Measures  of  Flight  Safety 

Reliability 

24 

5. 

Periodic  Tests 

29 

6. 

Effects  of  Failures  of  the  Test  Device 

and  Disengage  Logic 

31 

4 

DESCRIPTION  OF  CANDIDATE  REDUNDANT 

CONFIGUPATIOHS 

34 

1. 

Secondary  Actuators 

34 

n 

Signal  Selection  Devices 

•* 

3. 

Effects  of  Mission  Duration 

36 

4. 

Self  Tested  Versus  Comparison  Moni- 

tored Configurations 

38 

5. 

Triplex  Versus  Quadruplex 

39 

6, 

LRU  Failure  Rates 

40 

7. 

Dual  Configurations 

40 

8. 

Triplex  Configurations 

41 

9. 

Quadruplex  Configurations 

44 

10. 

Triplex  with  Back-Up  Configurations 

44 

11. 

Aborts 

51 

5 

TRADE-OFF  OF  REDUNDANT 

CONFIGURATIONS 

53 

1. 

Trade-Off  Parameters  Identified 

53 

2. 

Results 

54 

3. 

Conclusions 

57 

ii 


TABLE  OF  CONTENTS  (CONCLUDED) 


SECTION 

PAGE 

6 

APPLICATION  TO  THE  680-J 

SURVIVABLE  FLIGHT  CONTROL  SYSTEM 

71 

1. 

Ground  Rules 

71 

2. 

Results 

73 

3. 

Conclusions 

75 

7 

DIGITAL  VERSUS  ANALOG 

IMPLEMENTATION 

93 

8 

RECOMMENDATIONS  FOR  MIL-F-9490 

95 

9 

CONCLUSIONS  AND  RECOMMENDATIONS 

FOR  FUTURE  ACTION 

97 

10 

REFERENCES 

102 

APPENDICES 


APPENDIX 

PAGE 

I 

BASELINE  FBW  SYSTEM 

104 

1. 

Definition  of  Single  Thread  FBW  System 

104 

2. 

Failure  Rate  of  Basic 

Components 

113 

II 

FAILURE  PERFORMANCE 

REQUIREMENTS 

116 

1. 

Existing  Sources  of  Failure  Per- 

formance Requirements 

116 

III 

MATHEMATICAL  ADDENDA 

130 

IV 

REDUNDANT  SECONDARY  ACTUA'rORS 

134 

1. 

Force  Summing  Characteristics 

134 

2. 

Normal  Performance 

135 

3. 

Failure  Effects  and  Transients 

136 

V 

THE  DIGITAL  COMPUTER 

152 

1. 

Basic  Architecture  and  Functional 

Description 

152 

2„ 

I/O  Interface 

158 

VI 

SIGNAL  SELECTION,  MONITORING  AND 

EQUALIZATION 

175 

1. 

Operational  Objectives  of  Signal 

Selection 

176 

2. 

Operational  Objectives  of  Monitoring 

177 

3. 

Examples  and  Application  of  Signal 

Selection  Devices 

180 

4. 

Operacional  Characteristics  of  the 

Signal  Selection  Device 

185 

5. 

Summary  of  Signal  Selection 

Processes 

188 

6. 

Common  Mode  Failures 

189 

7. 

Equalization 

191 

8. 

Supplement  to  /vppendix  VI 

214 

APPENDICES  (CONCLUDED) 


APPENDIX  PAGE 

VII  SELF  TEST  CONSIDERATIONS  222 

1 . The  Sequential  Machine  Model  224 

2.  Representation  of  Failures  (i.e.. 

Failure  Effects)  235 

3.  Breadboard  Hardware  Validation 

of  a Self-Test  Program  240 

Supplement  A (Example)  249 

Supplement  B (Self-Tost  Program 
Description)  252 

VIII  MULTIPLEX  COMMUNICATIONS  266 

1 . Characteristics  of  the  Multiplex 

System  268 

2.  Ground  Rules  for  Trade-Off 

Estimates  274 

3.  Trade-Offs  of  Multiplex  Configur- 

ations 279 

IX  COMMON  ..ODE  AND  SOFTl'JARE  SINGLE 

POINT  FAILURES  297 

X TEST  VALIDATION  CONSIDERATIONS  301 

1.  Validation  Procedure  301 

2,  Sununary  304 

XI  SYNCHRONIZATION  REQUIREMENTS  FOR 

REDUNDANT  DIGITAL  FLIGHT  CONTROL 

SYSTEMS  306 

XII  ANALOG  INNER  LOOPS/DIGITAL  OUTER  314 

LOOPS 


Figure 

1 


LIST  OF  ILLUSTRATIONS 


Page 


Effects  of  Periodic  Testing  Word  100X 


Coverage 

30 

2 

Triplex,  Inflight,  Self-Tested 
Configuration.  No  Cross  Strapping. 
Configuration  1 

41 

3 

Triplex,  Inflight,  Self-Tested 
Configuration.  Full  Cross  Strapping. 
Configuration  2 

43 

4 

Quadruplex  Configuration  1.  No  Cross 
Strapping 

45 

5 

Quadruplex  Configuration  2.  Full  Cross 
Strapping 

46 

6 

Triplex  with  Back-Up.  Configuration 
No  Cross  Strapping 

1. 

47 

7 

Triplex  With  Back-Up.  Configuration 
Full  Cross  Strapping 

2. 

4S 

8 

P(L«)  Versus  (1-«i);  1 ““p  = 1.0 
Primary  Actuator  Failure  Rate  = 0 

59 

9 

P(L«)  Versus  (1-  «£);  1-  “p  = 1.0 
Primary  Actuator  Failure  Rate  = .5 

X 

10-6 

60 

10 

P(L»)  Versus  (1-ap);  1-  “i  = .95 
Primary  Actuator  Failure  Rate  - 0 

61 

11 

P(L«)  Versus  (1-®p);  1-  “i  = .95 
Primary  Actuator  Failure  Rate  = .5 

X 

VO 

1 

o 

62 

12 

P Versus  KT;  1-  i = .95;  l=“p 

Primary  Actuator  Failure  Rate  - 0*^ 

s: 

.999 

63 

13 

P(L^)  Versus  KT;  1-  a.  = .95;  1-  a 
Primary  Actuator  Failure  Rate  = .5 

X 

.999 

10-6 

64 

14 

MFR  Versus  1“  “i;  1~“p  = .999 
Primary  Actuator  Failure  Rate  = 0 

65 

15 

MFR  Versus  1 - “i;  1-  “p  = .999 
Primary  Actuator  Failure  Rate  = .5 

X 

10-6 

66 

16 

MFR  Versis  1-  Op;  1-  = .95 

Primary  Actuator  Failure  Rate  = 0 

67 

VI 


LIST  OF  ILLUSTRATIONS 


Figure 

Page 

17 

MFR  Versus  1-  oip;  1-  « .95 

Primary  Actuator  Failure  Rate  = .5  x 10-6 

68 

18 

MFR  Versus  Np;  1-  «i  = .95;  1-  “p  = .999 
Primary  Actuator  Failure  Rate  =^0 

69 

19 

MFR  Versus  Np,-  1-  “i  = .95;  1-  “p  = .999 
Primary  Actuator  Failure  Rate  = .5  x 10~6 

70 

20 

680-J  Survivable  Flight  Control  System 
(F-4)  Pitch  Channel,  Phase  IIB,  PBW 

76 

21 

Triplex  Configuration  1 

77 

22 

'j'riplex  Configuration  2 

78 

1 23 

Quadruplex  Configuration  1 

79 

‘ 24 

Quadruplex  Configuration  2 

80 

25 

680-J  Airplane  IIB 
P(Loo)  Versus  1-  “i;  1-  “p  = 1.0 

81 

26 

680-J  Airplane  IIB 
p(L«)  Versus  1- ® i;  1-  “p  ® 1*0 
Primary  Actuator  Failure  Rate  = .25  x 10“^ 

82 

27 

680-J  Airplane  IIB 
p(L«)  Versus  1- “ p;  1-®^=  .95 

83 

28 

' 

680-J  Airplane  IIB 
P(L~)  Versus  1- ® p;  1- « = ,95 

Primary  Actuator  Failure  Rate  = .25  x 10”6 

84 

29 

680-J  Airplane  IIB 

P(Lk)  Versus  KT;  1-  = .95;  1-  “p  “ .999 

85 

30 

660-J  Airplane  IIB 

P(Lj^)  Versus  KT;  1-  « ^ » .95;  1=“p  - .999 
Primary  Actuator  Failure  Rate  = ,25  x 10-6 

86 

31 

680-J  Airplane  IIB 
MFR  Versus  1-®i;  1- ® ^ 

87 

vii 


I 


r ' ■ 

LIST  OF  ILLUSTRATIONS 


Figure  Page 


32 

680-J  Airplane  IIB 
MFR  Versus  1-  a.?  1“  “«  = >999 
Primary  Actuator  Failure  Rate  * ,25  x 

10-6 

88 

33 

680-J  Airplane  IIB 
MFR  Versus  1-  ttp;  1-  » ,95 

89 

34 

680-J  Airplane  IIB 
MFR  Versus  1-ap;  1-  “i  =»  .95 
Primary  Actuator  Failure  Rate  = .25  x 

10-6 

90 

35 

680-J  Airplane  IIB 

MFR  Versus  Np;  1-  « .95;  1-  «p  = .999 

91 

36 

680-J  /iirplane  IIB 

MFR  Versus  Np;  1-  “i  » .95;  1-  “p  * .999 
Primary  Actuator  Failure  Rate  = . 25  x 10“6 

92 

APPENDICES 

1-1 

Pitch  Axis  Control 

106 

1-2 

Roll  Axis  Control 

107 

1-3 

Yaw  Axis  Control 

108 

1-4 

Autothrottle  (Airspeed  Hold  Mode) 

109 

1-5 

Approach  Power  Compensation 

110 

1-6 

Glideslope  Flare 

111 

1-7 

Glideslope  Track 

111 

1-8 

Localizer  Track/Align 

112 

1-9 

Runway  Align/Ground  Roll 

112 

1-10 

Yaw  Damper 

112 

IV- 1 

Quadruplex 

Idealized  Force  Suituneu  Mechanical  SSD 

139 

IV- 2 

Analytical  Block  Diagram  of  Mechanical 

SSD 

140 

IV- 3 

Equivalent  Analytical  Block  Diagram  of 
Mechanical  SSD 

141 

viii 


Figure 
IV- 4 
IV- 5 

IV- 6 

IV-7 

IV- 8 

IV- 9 
IV- 10 
IV- 11 

IV- 12 

IV-  13 

V- 1 

V-2 

V-3 

V-4 


LIST  OF  ILLUSTRATIONS 


Page 


SSD  Process  REpresen cation  142 

Signal  Selection  Device 

Four  Channel  Operational  Ainplifier  Type  143 

Threshold  Characteristics  of  a Quadruplex 
MV  SSD  144 

Effects  of  Hardover  Failures  in  a Quadru- 
plex MV  SSD  1st  Failure  Undetected, 

2nd  Failure  Undetected  145 


Effects  of  Hardover  Failures  in  a Quadru- 
plex MV  SSD 

1st  Failure  Undetected,  2nd  Failure 
Detected 

1st  Failure  Detected,  2nd  Failure 

Undetected  146 

Effects  of  Hardover  Failures  in  a Quadru- 
plex MV  SSD 

1st  Failure  Detected,  2nd  Failure 

Detected  147 

Effects  of  Hardover  Failures  in  a Triplex 
MV  SSD 

1st  Failure  Undetected,  2nd  Failure  Unde- 
tected 148 

Effects  of  Hardover  Failures  in  a Triplex 
MV  SSD 

1st  Failure  Undetected,  2nd  Failure  Detected 
1st  Failure  Detected,  2nd  Failure  Undetected  1 19 

Effects  of  Hardover  Failures  in  a Triplex 
MV  SSD 

1st  Failure  Detected,  2nd  Failure  DEtected  150 

Effect  of  Oscillatory  Failure  on  Output  of 
a Quadruplex  MV  SSD  151 

Digital  Flight  Control  System  Mechanization 


i 


Digital  Processor  and  I/O  Interface  153 
Digital  Computer  and  Associated  I/O  154 
Analog  Input  Circuits  159 
Input  (A/D)  Converter  160 


ix 


Figure 

V-5 

V-6a 

V-6b 

V-6c 

V-7 

V-8a 

V-8b 

V-8c 

V-9a 

V-9b 

V- 9c 

VI-  1 
VI-2 
VI- 3 

VI-4 

VI-5 

VI-6 

VI-7 

VI-8 

VI-9 


LIST  OF  ILLUSTRATIONS 

Output  (D/A)  Converter 

Discrete  Signal  Output  Driver 

Discrete  Signal  Receiver 
(With  Noise  Receiver) 

Discrete  Signal  Receiver 

(For  Lov;  Level,  High  Common 
(Mode  Noise  Signals) 

Signaling  Codes 

Bipolar  RZ  Encoder/Transmitter 

Bipolar  RZ  Line  Receiver 

Receiver  Using  Optically  Coupled  Isolators 

Manchester  Encoder/Transmitter 

Manchester  Line  Receiver 

;hester  Code  Encode/Decode  Scheme 

Comparison  Monitoring  Techniques 

Quadruplex  Limited  Averaging  SSD 

Placement  of  Signal  Selection  Devices  in 
the  Flight  Control  S;^stem 

Monitoring  Avalancue  in  a Quadruplex 
MV  SSD 

Dual  Redundant  Control  System 

Equivalent  Dual  Redundant  Control 
System 

Dual  Redundant  Control  System  Exliibiting 
Integrators 

Stabilizing  Integrator  Via  Common  Inputs 
Stabilizing  Integrator  Via  Common  Outputs 


Page 

162 

163 

163 

164 
169 
171 
171 
171 
173 
173 
173 
179 
181 

182 

190 

192 

192 

192 

194 

194 


X 


LIST  OP  ILLUSTRATIONS 


Figure 

VI-10 

VI-11 

VI- 12 

VI-13 
VI- 14 
VI- 15 

VI-16 

VI- 17 

VI- 18 

VII- 1 
VII-2 
VII-3 
VII-4 
VII-5 
VII-6 
VI 1-7 


Integrator  Stabilization  Via  Equalization 
for  a Dual  Redundant  System 

Integrator  Stabilization  Via  Equalization 
for  a Quadruplex  Configuration  Using  In- 
tegrator Output  Differences 

Integrator  Stabilization  Via  Equalization 

for  a Quadruplex  Configuration  Using 
Servo  Differences 

Servo  Equalization  Via  Integration 

Equalization  With  Deadzone 

Minimum  Deadzone  to  Stabilize  Integral 
Equalization 

Servo  Equalization  for  a Quadruplex 
Configuration 

Method  for  Preventing  Overlc^ding  of  the 
Equalizing  Integrators  in  a Quadruplex 
Servo  Configuration 

Effects  of  Integral  Equalization  on  Second 
Failure  Transient  in  a Triplex  Configuration 
with  an  MV  SSD 

State  Table 

Portion  of  State  Diagram 

RS  Flip-Flop 

State  Diagram  for  RS  Flip-Flop 

State  Diagram  for  Serial  Binary  Adder 

Logic  Diagram  of  Serial  Binary  Tedder 

State  Diagram  for  RAM  of  2,  1-Bit  Words 
(Incomplete) 


xi 


Page 

196 

197 

198 

199 

204 

205 
207 

210 

213 

226 

227 

228 
231 

233 

234 

236 


LIST  OF  ILLUSTRATIONS 

Figure  Page 

VII-8  Digital  Computer  and  Associated  I/O  243 

VIl-9  Non-Failed  Machine,  M 250 

VII-10  Failed  Copy  of  M - m*  250 

VII-11  Self-xest  Memory  Map  256 

VII- 12  Self-Test  Flow  Diagram  264 

VIII- 1  Modular  Multiplex  System  270 

VllI-2  MTU  271 

VIII-3  SSIU  272 

VII 1-4  Additional  Subsystem  Electronics  273 

VllI-5  Word  Formats  275 

VII 1-6  3-Bus  System 

Sensor/Computer  Cross  Strapping 
No  Computer/Actuator  Cross  Strapping 
(Configuration  I)  280 

VIII-7  3-Bus  System 

Sensor/Computer/Actuator  Cross  Strapping 
(Configuration  lA)  281 

VI I 1-8  6-Bus  System  with  Separate  Intercomputer 

Busses  and  Sensor  Cross  Strapping 
(Configuration  II)  283 

VI I I- 9 6-Bus  System  with  Full  Cross  Strapping 

(Configuration  III)  285 

Vlll-10  6-Bus  System  with  Separate  Sensor/Com- 

parator Busses  - No  Cross  Strapping 
(Configuration  IV)  287 

VIII-11  6-Bus  System 

Sensor/Computer  Cross  Strapping 

Computer /Actuator  Cross-Strapping 

(Configuration  V)  289 

VI I I- 12  Dedicated  System 

Input  Cross  Strapping  Via  Intercomputer 
Busses 

Output  Cross  Strapping  (Optional) 

(Configuration  VI)  291 


LIST  OF  ILLUSTRATIONS 


Dedicated  System  With  Full  Cross 
Strapping  and  Voting  (Configuration  Vll) 

Dedicated  System 
Input/Output  Cross  Strapping  Via 
Analog  Voters  (Configuration  VIII) 

Confidence  Level  Versus  Number  of 
Samples 

Cross-Strapping  Arrangement  Scheme  1 

Cross-Strapping  Arrangement  Scheme  2 

Single  Digital  Outer  Loop 

Dual/Standby  Digital  Outer  Loop 

Dual/Fail  Passive  Digital  Outer  Loop 

Fail  Operational  Triplex  Digital  Outer 
Loops 


Page 


xiii 


LIST  OP  TABLES 


Table  No. 


Page 


1 

2 

3 

4 

5 

6 

7 

8 


Summary  of  Loss  Rate  Per  Flight  Hour  9 

Composite  Failure  Event  for  an  LRU  35 

Resultant  Aircraft  States  Follov/ing  Loss 
of  Control  of  a Triplex  Configuration  50 

Incremental  P (L  <»  ) Versus  Preflight  Test 
Coverage  55 

Incremental  P(Lk)  at  5000  Hours  Versus 
Preflight  Test  Coverage  55 

Incremental  P(L«>),  P(Lk)  at  5000  Hours 
and  MFR  v;ith  Pref light  Test  Coverage  = ,999  56 

MFR  Versus  Periodic  Testing  w.»th  Preflight 
Test  Coverage  = ,999  57 

Preflight  Test  Coverage  Required  to  Achieve 


Incremental  Flight  Safety  Reliability  Goal  of 
1.0  X 10"<5  ^'Jith  Inflight  Test  Coverage  ® .95  58 


1-1 

1-2 


1-3 


VI-I 


VII-1 

VII-2 

VII-3 


Memory  and  Real  Time  Requirements 
FBW  PFCS 

I/O  Signal  Characteristics 

Autoland  System 
I/O  Signal  Characteristics 

Performance  Comparison  of  Midvalue  Vs. 
Limited  Averaging  Signal  Selection 
Processes 

State  Tab.e  .or  RS  Flip-Flop 

State  Table  for  Serial  Binary  Adder 

Microcircuits  of  the  Bendix  BDX  900 
Digital  Computer 


105 

114 

115 

187 

230 

232 

242 


I 


XIV 


LIST  OF  SYMBOLS 


LR  Loss  rate  (losses/flight  hour) 

AR  Abort  note  (aborts/flight  hour) 

F Event  that  an  LRU  fails  during  a mission 

A Event  that  an  LRU  alarms  during  a mission 

F Not  F 

A Not  A 

T Mission  time  (hours)  ‘ 

P(E)  Probability  of  event  E 

« P(A|F)  = Test  defeciency 

1-0  Test  coverage 

P(F|X)  = Nuisance  alarm  sensitivity 

Z P(F)  * 1-e"  i 

i 

X Failure  rate  (failure/flight  hour)  I 

I 

■y  a Failure  rate  of  the  untested  portion 

of  an  LRU  I 

Ej  Event  of  loss  of  system 

Eg  Event  of  mission  abort  | 

fjj  Event  of  a latent  failure  at  the  ' 

start  of  the  Nth  mission 

Pn  P (fN)  ^ 

Fjj  Event  of  a failure  of  an  LRU  inflight  I 

during  the  (Nth)  mission 

! 

Ay  Event  of  an  alarm  of  the  preflight 

test  prior  to  the  (N+1)the  mission. 

« j Inflight  test  deficiency 

1-a,  Inflight  test  coverage  1 

/ 
'i 

I 

I 


XV 


LIST  OF  SYMBOLS 


«p  Preflight  test  deficiency 

1-  «p  Preflight  test  coverage 

Event  of  loss  of  airplane  during  the 
M the  mission  given  that  the  airplane 
survived  the  previous  N-1  mission 

P (L  “ ) Lim  P (LN) 

n—  oo 

Qjj  Event  that  the  control  system  is  not 

operational  at  the  start  of  or  during 
the  Nth  mission. 

q Union  of  all  failure  combinations  which 

^ are  not  consistent  with  event,  Ljj 

MFR  Mean  failure  rate  (average  losses/flight  hour) 

Sjq  Event  that  the  airplane  failed  sometime 

during  the  first  N missions 

MTPF  Mean  time  to  first  failure  (hours) 

SL  Service  life  of  the  airplane  (hours) 

K Number  of  airplanes  lost  during  the  Kth 

mission 

’’  Number  of  airplanes  in  sample 


Np  Number  of  missions  between  periodic  tests 

of  100X  coverage 


F^  Event  of  failure  of  the  test 

Zt  P(Ft) 


SECTION  1 


1 . Introdt.ction 


INTRODUCTION 


The  sijbject  of  this  study  is  "Redundancy"  in  digital  flight 
control  systems.  One  of  the  objectives  of  the  study  is  to  ident- 
ify those  characteristics  of  the  digital  computer  which  tend  to 
improve  or  lessen  mission  and  flight  safety  reliability  and  to 
suggest  requirements  and  design  and  validation  procedures  which 
will  insure  compliance  with  these  objectives  without  compromising 
performance.  In  this  context  the  following  specific  areas 
‘ (among  others)  were  considered: 

a.  Failure  detection  capability  of  the  digital  computer 

b.  The  effects  of  undetected  failures 

c.  Inflight  and  preflight  test  requirements 

d.  Flight  safety  evaluation  criteria 

^ e.  Reduction  in  the  number  of  redundant  channels  through 

k improved  failure  detection 

f.  Techniques  of  signal  selection  as  a means  to  improve 
flight  safety  reliability 

g.  Isolation,  buffering  and  I/O  requirements 

^ h.  Validation  of  test  p:  ocedures 

i.  Multiplexed  communications 

Unfortunately,  time  did  not  permit  the  inclusion  of  the 
important  topic  of  survivability  and  the  effects  of  battle 
damage . 

Throughout  the  ttudy,  emphasis  was  placed  on  identifying 
general  problem  areas  and  formulating  design  data  rather  than  on 
proposing  solutions  to  specific  problems.  The  justification  for 
this  approach  is  that  there  is  hardly  any  task  in  the  flight  con- 
trol application  which  is  not  specific  to  a particular  set  of 
conditions;  i.e.,  noise  environment,  configuration,  mission  an' 
reliability  objectives,  etc.  As  a consequence,  a solution  in  o..e 
situation  may  be  invalid  in  another.  There  is  another  area  in 
which  a certain  restraint  is  desirable  and  that  is  when  imposing 
requirements  to  insure  that  a particular  objective  is  achieved  . 
Too  frequently  such  requirements  are  based  on  inadequate  data,  and 


1 


therefore  could  become 

Tt  ^Jo^sS.'S^l  co^iJeration  is  given  to  alternatives  which 
mav  be  better  for  specific  applications* 


SECTION  2 


SUMMARY 


2.  Summary 

The  major  areas  of  investigation  are  summarized  in  the 
following  paragraphs. 

Section  3 


• Mission  and  flight  safety  reliability  goals  are  estab- 
lished based  on  field  data  of  existing  military  and 
commercial  aircraft. 

• Failure  detection  capability  of  a test  is  defined  in 
terms  of  test  coverage  and  sensitivity  to  nuisance 
alarms.  In  terms  of  these  parameters,  the  failure  de- 
tection requirements  of  a redundant  configuration  can 
be  specific. 

Section  4 


• Ground  rules  are  established  for  the  tradeoffs  of 
redundant  configurations,  including  those  character- 
istics of  secondary  actuators  and  signal  selection 
devices  which  are  pertinent  to  the  study, 

• The  effects  of  combinations  of  detected  and  undetected 
failures  and  nuisance  alarms  on  several  candidate  re- 
dundant configurations  are  discussed. 

• Abort  strategies  are  defined  and  abort  rate  computed 
for  each  candidate  configuration. 

Section  5 


This  section  contains  the  results  of  the  flight  safety 
reliability  tradeoffs  of  the  candidate  configurations. 

Section  6 


The  techniques  and  methods  of  the  previous  sections 
are  applied  to  the  longitudinal  axis  of  the  680-J  airplane  using 
F-4  component  reliability  data. 

Section  7 


Pertinent  differences  between  analog  and  digital 
implementation  of  a FBW  PFCS  are  discussed. 


3 


Section  8 


Based  upon  results  of  the  study  additional  requirements 
for  inclusion  in  MIL-STD-9490D  are  recommended. 

Section  9 

Conclusions  and  recommendations  for  future  action 
are  presented. 

3.  Appendices 

The  Appendices  generally  contain  either  detailed  mathe- 
matical derivations,  reference  and  supporting  data,  or  subject 
matter  which,  although  important  from  the  point  of  view  of 
redundancy,  was  not  considered  appropriate  for  the  main  text. 
Included  in  this  latter  category  are  discussions  of: 

a.  Redundant  Second  try  Actuators 

b.  Signal  Selectioti  and  Monitoring 

c.  Self  Test  Considerations 

d.  Multiplex  Communications 

e.  Test  Validation  Considerations 


4 


SECTION  3 

EVALUATION  CRITERIA  FOR  REDUNDANCY  STUDIES 
1 . Design  Goals  Established 

In  the  following  chapters,  tradeoff  studies  of  digital 
flight  control  configurations  will  be  reported.  It  is  assumed 
that  the  control  system  is  flight  critical  and  its  loss  would 
result  in  loss  of  the  airplane.  In  particular,  the  intended 
application  is  either  a fly-by-wire  (FBW)  primary  flight 
control  system  (PFCS)  or  a control  and  stability  augmentation 
system  (CAS/SAS)  for  an  aircraft  that  could  be  statically  or 
dynamically  unstable  in  certain  portions  of  its  flight  regime. 

In  these  studies,  configurations  are  evaluated  from  the 
point  of  view  of  mission  and  flight  safety  reliability.  Other 
factors,  perhaps  equally  important,  were  considered  to  the 
extent  that  they  imposed  constraints  on  the  candidate  con- 
figurations. Cost,  size,  weight,  power,  maintainability, 
surviv£d3ility  and  reliability  are  some  of  these  factors. 

a.  Flight  Safety  Reliability  Goals 


The  following  estimates  of  flight  safety  reliability 
(and  mission  reliability  in  the  next  section)  were  obtained 
from  surveys  of  military  fighter  and  cargo  aircraft  in  the 
time  period  1960-1973  and  commercial  aircraft  in  the  time 
period  1950-1960.  The  estimates  are  given  in  terms  of  loss 
rates  (designated  LR=losses/flight  hour)  involving  either  all 


flight  cont 
category  in 


The  flight  controls 


rols  or  primary  flight  controls, 
eludes : 

primary  flight  control 
secondary  flight  control 
automatic  flight  control 


hydraulic  and  electrical  power  supplies 

The  primary  flight  controls  include; 

rudder,  aileron,  elevator  (stabilator)  actuators 

control  linkages 

feel  and  trim  system 


5 


In  a survey  (Ref.  1)  of  several  types  of  naval  fiqhter 
aircraft  (e.g.,  F-4,  F-8,  A-5,  A-6,  A-7)  in  the  time  period 
1960-1970,  the  following  estimates  are  given: 

Flight  Controls 

LR  = 11.6  X 10“^  (averaged  over  all  aircraft 
types) 

LR  = 10.35  X 10“^  (for  the  F-4) 

Primary  Flight  Controls 

LR  ==  5.5  X 10“®  (averaged  over  all  aircraft 
types) 

LR  = 6.6  X 10”®  (for  the  F-4) 

The  loss  rates  involving  the  pves  were  attributed 
to  either  the  power  actuators  or  control  linlcages,  the  estimated 
average  distribution  being 

Power  Actuator:  LR  = 3.2  x 10“® 

Control  Linkage : LR  « 2.3  x 10~® 

Total  LR  = 5.5  X 10”® 

The  cited  estimates  include  the  additional  hazard  of  carrier 
operations.  VThen  losses  are  deleted  which  could  be  attributed 
to  the  carrier  environment,  the  resultant  estimate  is 

LR  = 4.63  X 10"®  (for  the  F-4) 

as  compared  with 

LR  = 6.6  X 10’®  for  carrier  operations. 

In  another  survey  (Ref.  2)  of  USAF  aircraft  (e.g., 

F-4,  F-101,  F-111)  in  the  time  period  1966-1970  the  following 
estimates  are  given: 

Flight  Controls  (Excluding  Hydraulic  and  Electrical 

PCT7er  Supplies^ 

LR  = 30.0  X 10”®  (averaged  over  all  aircraft 
types) 

LR  = 5.8  X 10”®  (for  the  F-4) 


6 


Primary  Flight  Controls 

-■6 

LR=  13.7  X 10  (averaged  over  all  aircraft 
types) 

LR  = 3.8  X 10"^  (for  the  F-4) 

It  is  interesting  to  note  the  loss  rate  due  to  all 
causes.  From  data  supplied  by  Tactical  Air  Command  covering 
all  types  of  military  aircraft  the  estimates  are: 

LR  = 120.0  X 10“®  (for  fighter  aircraft) 

LR  = 20.0  X 10“^  (for  cargo  aircraft) 

for  the  time  period  1966-1970.  Supporting  data  is  given  in 
Ref.  14.  There  the  loss  rate  due  to  all  causes,  for  the  year 
1967,  is 

LR  = 140.0  X 10"^ 

(averaged  over  7 types  of  fighter  aircraft) 

LR  = 141.0  X 10“^  (for  the  F-4). 

An  estimate  of  the  loss  rata  of  the  present  F-4  primary  flight 
control  system,  longitudinal  axis,  is 

LR  = 1.145  X 10"® 

assuming  a stabilator  actuator  failure  rate  of  1.0  x 10“^ 
failures/hour.  This  estimate  includes  hydraulic  and  electrical 
power  supplies  and  current  equipment  failure  rates. 


Footnote:  In  a survey  of  commercial  aircraft(Ref . 16)  in  the 

time  period  1950-1960  the  loss  rate  of  the  PFCS  is 
estimated  to  be 

LR  = 0.23  X 10"^. 


7 


Reference  19  ( MIL-F-9490D  User's  Guide)  cites  the 
following  estimates: 

Flight  Controls  (Including  Hydraulic  and  Electrical 
Power  Supplies) 

LR  = 0.55  X 10“®  (averaged  over  B-52,  C-135, 

C-141  aircraft,  1964-1973) 

LR  = 8.97  X 10“®  (F-4,  1960-1970) 

LR  * 2.88  X 10“®  (rotary  wing  aircraft  averaged 

over  H-1,  H-3,  H-43,  H-53) 

Siunmarizing  these  estimates  and  making  allowances  for  improve- 
ment in  equipment  the  following  projection  is  considered  a 
reasonable  goal  for  flight  safety  reliability  of  a primaxry 
flight  control  system  which  includes  hydraulic  and  electrical 
power  supplies: 

LR  = 3.0  X 10“®  (for  fighter  aircraft) 

b.  Mission  Reliability  Goals 

In  Ref.  2 mission  reliability  estimates  are  given  in 
terms  of  in-flight  abort  rate  (AR  **  Aborts/Flight  Hour)  for  the 
referenced  aircraft.  Since  aborts  are  not  normally  reported 
as  such  when  accidents  occur  on  the  homeward  leg  of  the  mission, 
the  following  estimates  have  been  modified  (by  the  factor  1.5) 
to  reflect  the  rate  throughout  the  entire  mission: 

Flight  Controls  (Excluding  Hydraulic  and  Electrical 
Power  Supplies) 

AR  « 2,295.0  X 10"^  (averaged  over  all  aircraft 

types) 

AR  - 1,710.0  X 10"®  (for  the  F-4) 

Primary  Flight  Controls 

AR  = 450,0  X 10”®  (averaged  over  all  aircraft 

types) 

AR  = 420.0  X 10”®  (for  the  F-4) 

In  Ref,  1 the  estimated  abort  rate  is 

AR  a 165  X 10"®  (F-4,  Navy) 

Loss  rate  data  is  summarized  in  Ted^le  1 . 


8 


< 


TABLE  1.  SUMMARY  OF  LOSS  RATE/FLIGHT  HOURS 


AVERAGE,  Rotary  Winy  2.88  x 10' 

H-1,  H-3,  H-43, 


2.  Inflight  and  Prefliqht  Test  Coverage 

Of  the  many  elements  which  influence  flight  safety 
reliability,  the  following  are  primary: 

• Component  Reliability 

• Configuration  (Redundancv,  end-to-end,  etc) 

• Failure  Detection  Capability 

At  the  present  time  the  reliability  of  a non-redundant  FIJW 
PFCS  is  not  sufficient  to  achieve  the  reliability  goals  es- 
tablished in  the  previous  section.  Excluding  sensors  and 
primary  actuators,  the  combined  failure  rate  of  digital  con- 
troller and  a secondary  actuator  would  probably  exceed  300  x 
10“° failures/hour.  Because  of  this  deficiency  of  the  basic 
components  it  is  necessary  to  resort  to  redundancy  techniques 
to  improve  system  reliability. 

Regardless  of  the  levels  of  redundancy,  every  redundant 
configuration  inherently  depends  upon  some  form  of  failure 
detection  and  sxibsequent  removal  or  rerouting  of  failed  com- 
ponents either  before  or  during  each  mission.  One  of  the  ob- 
jectives of  this  study  is  to  define  a measure  of  failure 
detection  capability  which  can  be  used  to  specify  failure 
detection  requirements  for  a given  redundant  system  and 
reliability  goal  and  to  show  to  what  extent  system  reliability 
is  compromised  by  non-perfect  failure  detection. 

The  basic  unit  of  the  system  is  the  LRU  (Line  Replaceable 
Unit)  which  for  purposes  of  this  discussion,  is  the  smallest 
field-replaceable  system  element.  Associated  with  each  LRU 
is  a failure  detection  device  whose  function  is  to  alarm  if  the 
LRU  does  not  conform  to  some  model  characteristics.  The  LRU 
is  assumed  to  consist  of  a large  number  of  components,  each 
with  a small  probability  of  failing  during  a mission  of  duration, 
T.  The  LRU  is  considered  to  have  failed  when  at  least  one 
component  fails.  Finally,  it  is  assumed  that  failures  of  all 
components  including  the  LRU  are  Poisson*  distributed  in  time. 


* See  Appendix  III 


10 


Define: 

P = Event  that  the  LRU  fails  during  the  mission 
A = Event  that  the  LRU  alarms  during  the  mission 
F = Not  P 
A = Not  A 


The  probability  model  consists  of  the  events  F,  P,  A,  A,  PA,  FA, 
FA,  FA  together  with  their  probabilities  of  occurrence  during 
the  mission.  In  this  context, 

FA  is  an  undetected  failure, 

FA  is  a nuisance  alarm, 

PA  is  a detected  failure. 

According  to  this  model  the  occurrence  of  a failure  and  an  alarm 
during  the  mission  is  a detected  failure  regardless  of  their 
order  of  occurrence  or  the  time  interval  betv;een  failure  and 
alarm.  The  alarm  device  is  a failure  detector  and  annunciator 
which  may  be  either  dedicated  hardware,  as  with  a comparator,  or 
a self-test  soft  ware  program  or  a combination  of  both. 

Details  of  the  following  discussion  can  be  found  in 
Appendix  III, 

Define 


a=  P(S|F)»  P(FA)/P(F) 

(1) 

0 = P(FlA)=  P(FA)/P(A) 

(2) 

a , 0 are  the  conditional 
probabilities  of  A given  F 
and  r’  given  A,  respectively. 

11 


It  is  shown  in  Appendix  III  that  i'he  following  relationships 
apply : 


P(FA)  * 

a z 

(3) 

P(PA)  * 

(1-  « )Z 

(4) 

P(fA)  “ 

fi  (1-  a) 

try  * 

(5) 

P{FA)  = 

1- 

0 

(6) 

P(A)  = 

1-a 

T^0^ 

(7) 

where  z = P (P) . 


From  the  above  expressions  it  can  be  seen  thnt  the  proba- 
bilities of  the  events  FA,  FA,  PA,  PA,  A can  be  obtained  in 
terms  of  the  three  parameters  a,  0 , P(F).  These  parameters 
may  be  selected  independently*  subject  only  to  the  constraint 
imposed  by  the  inequality 

The  quantities,  a and  0 , are  measures  of  the  failure  detection 
capability  of  a test  relative  to  the  LRU  being  tested.  The 
quantity  p is  a measure  of  the  sensitivity  to  nuisance  alarms 
and  it  is  desirable  that  ^ be  small  for  a given  test.  The 
auantity  a , however,  does  not  reflect  the  detection  capeUiilities 
of  the  test  depending,  as  it  does,  on  the  interaction  between 
nuisance  alarms  and  alarms  which  are  the  result  of  detected 
failures.  Thus,  a small  value  of  a is  not  necessarily  a good 
indicator  of  detection  capability.  This  is  not  surprising 
since  the  prob£ibility  model  does  not  disting  .ish  between  causal 


* a and  0 may  be  functionally  related,  depending  upon  the 
detection  procedure. 


and  non-causal  alarms.*  However,  in  the  complete  absence  of 
nuisance  alarms;  i.e.,  ^*0,  a is  equal  to  the  ratio  of  un- 
detected to  total  failures,  assuming  that  all  failures  are 
equiprobable**  In  this  case  a is  called  the  test  deficiency 
and  1-  a is  called  the  test  coverage.  serve  that  1- a is 
equal  to  the  ratio  of  detected  to  total  failures.  It  is  shown 
in  Appendix  III  tnat,  if  the  mission  time  is  sufficiently  small, 
then 

Test  Deficiency  = P (aIF),  approximately. 


♦Causal  alarm  = an  alarm  caused  by  a failure, 

**If  X * failure  rate  of  the  LRU  and 

* failure  rate  of  that  portion  of  the  LRU  v^hich  is  not 
tested  then 

Test  deficiency  » ^ ° 

X 

if  the  mission  time  is  sufficiently  small. 


a.  Applying  the  Probability  Model 

In  the  context  of  estimating  the  flight  safety  re- 
liability of  a redundant  control  system  the  procedure  for 
applying  the  probability  model  is: 

(1)  Determine  a , 0 and  P(F)  for  each  LRU.  This 
presumes  that  a test  procedure  exists  for  each  LRU. 

(2)  Define  the  event,  E,  of  the  loss  of  the  airplane 
or  los£  of_system,  as  the  case  may  be,  in  terms  of  the  events  F, 
F,  A,  A,  FA,  FA,  FA,  FA  for  each  system  LRU.  The  event,  E,  is 
application  dependent  and  will  differ  for  each  configuration, 
servo  characteristics,  etc. 

(3)  Compute  P(E). 

Implicit  in  this  procedure  is  the  assumption  that 
“ and  P can  be  determined  for  each  LRU  independently  of  any 
other  LRU  or  even  of  the  configuration  itself.  It  is  recoanized 
that  this  assumption  may  not  always  be  valid  for  certain  kinds 
of  tests,  notably  comparison  monitoring,  where  an  upstream 
failure  could  prevent  detection  of  failures  do"i;nstream  or 
where  a failure  in  one  channel  could  seriously  degrade  coverage 
in  the  other  channels.  While  such  characteristics  are  un- 
desirable in  any  test  and  should  be  avoided  whenever  possible, 
it  is  necessary  to  include  such  considerations  in  the  evaluation 
of  a aiven  test. 

b.  Examnle 


Consider  a dual,  standby  configuration  consisting  of 
a single  actuator  commanded  by  one  of  tv;o  computers.  In  the 
event  that  the  command  computer  fails  the  standby  computer  is 
switched  onto  the  driving  channel.  Assume  that 

(1)  the  servo  has  a zero  failure  rate, 

(2)  each  computer  is  in  a non-failed  state  at  the 
start  of  the  mission, 

(3)  the  standby  computer  is  pov;ered  throughout  the 

mission, 

(4)  loss  of  system  occurs  v/hen 

Eg  = A^F2+F^Ai 

(5)  a mission  abort  occurs  when 

F-  = (A,+Aj)  C, 


111 


t 


where  the  subscripts  1 and  2 designate  the  active  and  standby 
channels,  respectively.  The  probability  of  loss  of  system  is 

P(Ej)  = P(A^)P(F2)  + P(F^A,) 


1-Qf 

1-P 


2 

z 


+ a% 


where 


z 


P(Fj)  = P^F^)  = 1-e 


-XT 


In  tlie  absence  of  nuisance  alarms,  i.e.,  p - 0, 
P(E^)  = ( l-a)z^  + az. 


In  order  to  estimate  inflight  test  requirements  assume 

(a)  z = 300  X 10“®,  which  is  a typical  single 
channel  failure  rate,  and 

(bl  two  thirds  of  the  flight  safety  reliability 
goal  of  3.0  x 10"  for  fighter  aircraft  is  allocated  to  the 
servos.  Then,  in  order  to  meet  the  flight  safety  relieibility 
goal,  it  is  necessary  that 

az  = a X 300  x 10  ^ ^ 1.  0 x 10 
or  a ^ . 00333. . . 
or  1-a  ^ . 99666. . . 

i.e.  99.66X  of  all  failures  must  be  detected. 

It  should  be  noted  that  in  the  activc/standby  arrangement  in- 
flight failures  must  be  detected  and  acted  upon  almost  immediately 
as  they  occur  in  oi:der  to  prevent  the  failure  transients  from  pro- 
pagating to  the  surfaces.  This  imposes  a severe  additional  re- 
quirement on  inflight  test.  The  effects  of  nuisan  :e  alarms  on 
loss  of  system  can  be  obtained  by  setting  a - 0.  Thus 

=_^  . 

1-P 


15 


Obviously  nuisance  alarms  have  a neglible  effect  on  loss  of 
system  in  this  exat>ple.  However,  nuisance  alarms  have  a very 
significant  effect  on  mission  aborts.  From  the  event  of 
mission  abort,  the  probability  is  seen  to  be 


P(EJ  = 


approximately. 


If  1 out  of  every  2 alarms  is  a nuisance  alarm  then 


P(EJ 


-4  -6 

2:  4z  = 4 X 10  = 400  x 10 


(if  a is  small) 


which  is  approximately  the  abort  rate  for  the  P-4, 

3,  Latent  Failures 

In  estimating  the  probability  of  success  of  a given 
mission  two  types  of  failures  must  be  considered: 

a,  Infligh*-  Failures:  Failures  which  occur  during  the 

mission, 

b.  Latent  Failures:  Failures  which  occurred  pre- 

viously and  were  not  removed  or  detected  by  inflight  monitors 
on  successive  applications  of  preflight  tests. 

Latent  failures  can  be  subdivided  into  active  and 
passive.  Active  failures  directly  affect  a computation  in  the 
signal  chain  and  are  presumed  to  have  failed  the  entire  LRU. 
Passive  latent  failures  do  not  directly  affect  the  signal 
chain  unless  accompanied  by  additional,  and  possibly  remotely 
occurring,  failures  or  even  system  states.  Examples  of  such 
failures  v;ould  include  limiters,  states  or  state  transition 
paths  of  MSI  devices  such  as  random  access  memories,  inflight 
monitors,  ground  test  equipment  etc.  The  effects  of  passive 
latent  failures  on  flight  safety  reliability  are  difficult  to 
establish  since  such  failures  can  exist  simultaneously  in  all 
channels  of  a redundant  system  without  adversely  affecting 
system  operation.  As  a consequence,  a reliability  model  which 
includes  the  effects  of  passive  latent  failures  does  not 
appear  to  be  feasible.  For  purposes  of  this  study  all  latent 
failure's  are  presumed  to  be  active.  This  approach,  although 
somewhat  unrealistic,  is  at  least  conservative. 


16 


While  some  redundant  configurations  are  less  sensitive 
to  latent  failures  than  others,  latent  failures  tend  to  compro- 
mise flight  safety  reliability  in  all  configurations.  Hie 
extent  of  this  compromise  will  be  determined  in  subsequent 
sections.  We  proceed  now  to  derive  an  expression  for  the 
probability  of  a latent  failure  of  an  LRU. 

Here  and  throughout  the  remainder  of  the  report  it 
v;ill  be  convenient  to  distinguish  between  inflight  monitoring 
and  preflight  tests.  Inflight  monitoring  is  performed  during 
the  mission  and  for  the  purpose  of  removing  failures  in  order 
to  reduce  failure  transients  or  to  improve  the  benefits  of 
cross  strapping.  Preflight  test  is  administered  on  the  ground 
and  before  every  mission  for  the  purpose  of  detecting  latent 
failures.  It  is  desirable,  at  least  from  the  operations  point 
of  view,  that  preflight  test  be  built-in. 

The  major  system  components  whose  failure  must  be 
detected  either  inflight  or  in  pref light  test  are 

• sensors 

• digital  computers 

• actuators 

• displays  and  controls 

• moni  oring,  testing  and  disengage  devices 

• communications  paths 

• redundant  system  - associated-u  proponents 
such  as  signal  selection  devices,  inter- 
computer links,  etc. 

VJith  the  possible  exception  of  the  displays,  an 
undetected  failure  of  any  of  these  components  could  seriously 
compromise  the  operational  capability  and  safety  of  the  aircraft. 

According  to  the  assumption  which  regards  the  LRU 
as  th»»  ymnllest  field  replaceable  system  element,  a detected 
failu.  3 f any  component  within  an  LRU  will  cause  the  entirf. 

LRU  to  oe  replaced.  As  a consequence,  a latent  failure  will 
be  removed  if  the  failure  is  detected  or  if  some  other  failure 
of  the  LRU  occurs  and  is  detected.  Regarding  the  existence  and 
detection  of  latent  failures,  we  make  the  following  additional 
assumptions : 


17 


• The  existence  of  a latent  failure  of  an  LRU 
does  not  impair  detection  of  subsequent  failures 
provided  that  it  v;as  not  the  test  or  alarm 
mechanism  that  failed. 

• A failure,  once  undetected,  will  remain  un- 
detected no  matter  how  frequently  the  test 
is  administered. 

This  latter  assumption  tends  to  be  more  valid  for  computer  self 
test  than  for  comparison  monitorinq.  In  any  case  it  is  a con- 
servative assumption. 

Let  f a Event  of  a latent  failure  at  the  start 
^ of  the  Nth  missioT  . 

F a Event  of  an  inflight  failure  during  the 
N-1  th  mission 

A^  a Event  of  an  alarm  of  the  preflight  test 
^ prior  to  the  N+1  mission. 

The  preflight  test  may  incorporate  inflight  monitoring.  Thus, 
Ajj  may  include  inflight  monitoring  during  the  Nth  mission. 

A latent  failure  at  the  start  of  the  Nth  mission  can 
occur  if  and  only  ii: 


f-t  = , f.,  , + ( F , 

N N-1  N-1  N-1  N- 


1^  ^N-1  + 


N-r  N-1  N-1 


(9) 


In  other  v;ords,  a latent  failure  can  occur  at  the  start  of  the 
Nth  mission  if  and  only  if 

• A latent  failure  existed  at  the  start  of  the(N-l)th 
mission  and  no  inflight  failure  occurred,  or' 

• Ito  latent  failure  existed  at  the  start  of  the 

|N-llth  mission  and  an  inflight  failxure 
occurred  and  was  not  detected,  or 

• A latent  failure  existed  at  the  start  of  the 
m-llth  mission  and  an  inflight  failure 
occurred  and  was  not  detected. 

Taking  probabilities  of  both  sides  of  (9)  yields 


18 


I 


p(y 


PI'n-i) 

= U-)  P(fN-I»  " V 


where  z = ®p  i®  preflight  test  deficiency. 

Solving  difference  equation  (10)  for  the  initial  condition 
P(f^)  = 0 yields 


""  "p 


l-(l-z) 


as  the  probability  of  a latent  failure  at  the  start 
mission.  Observe  that,  since  z = 1-e*^'^, 


of  the  Nth 


Thus,  P(fjj)  approaches  «p  exponentially  with  a time  constant 
equal  to  1/X  hours.  If  the  LRU  incorporates  the  whole  channel 
then  z = 10"®,  approximately,  and  1/X=  3,333  hours.  Because 
of  the  existence  of  latent  failures  the  probability  of  loss 
of  airplane  will  be  a function  of  elapsed  operational  time. 
Define 


L * Event  of  loss  of  airplane  during  the  Nth 
" mission  given  that  the  airplane  survived 
the  previous  N-1  missions. 

The  probability,  P(L^),  is  the  primary  measure  of  flight  safety. 
However,  before  evaluating  P(Lj^)  it  is  necessary  to  obtain  the 
connection  between  Ljj  and  the  event  of  loss  of  system.  Let 

Q = Event  that  the  control  system  is  not  opera- 
” tional  at  the  start  of  or  during  the  Nth  mission. 

The  event,  Qj,  is  configuration  dependent  and  will  consist  of  all 
failures,  detected  now  and  undetected  earliar,  which  render  the 
configuration  non-opera tional.  Some  of  these  failure  combina- 
tions, however,  are  not  consistent  vrith  the  premise  that  the  air- 
plane survived  the  previous  missions.  These  combinations  will 
involve  the  number  and  location  of  latent  failures.  Let  qj^ 
denote  the  union  of  those  failure  combinations  which  are  not 
consistent  with  this  premise.  Then  we  define 


1 


P(V  - pcQnIV- 

This  equation  relates  loss  of  airplane  to  loss  of  system  given 
that  the  airpleme  survived  the  previous  missions. 

Example 

Consider  a triplex  configuration  with  no  inflight 
monitoring  and  assume  that  the  digital  computers  are  the  only 
system  LRU'S  with  a non-*ero  failure  rate  and  that  loss  of  system 
occurs  when  two  or  more  channels  fail.  Hien 


‘ Wj)  ' 

where 

f e Event  of  a latent  failure  of  the  Kth  channel, 

KN 

a Event  of  an  inflight  failure  of  the  Kth  channel. 
Observe  that,  if  P(Fj^)  = then 

in  the  absence  of  latent  failure,  as  expected.  It  is  apparent 
that  the  only  permissible  combinations  of  latent  failure  are 

■ ^IN^ZnSn 
""  ^IN^ZnSn 

""  ^1N^ZN^3N 

^ IN^  2N^  3N 


i 


( 


20 


I 


Thus 


■•n  = “n  •’n  + “=N  ^ 


and  P(a  ) P(b  ) 

p(V=  p<°n'V  =^'°nIV^)^  p'°nIVp^ 


^ Vpn;;r  ^ "<°nIVp<^) 


since  are  mutually  exclusive. 

From  (12)  it  can  be  seen  that 

P(QnI“n'°  ‘’<*'2  " ^3>  ■ 


P(«nI‘'n)=  P(FitP3)=  2^-^“= 

PIQnIV  ='’<^1  ^ ^2)  = 2z- 

P(QnI“n>  =P|FiP2^  F2F.,)  ^ 2a’ 

From  the  expression  (11)  for  the  probability  of  a latent  failure 

P'V  = P'V  = P'V  = V’-v' 


P(V  = <'  -Pn> 


P'On)  = ^Pn<‘  - <’  -Pn'‘' 

where 

Substituting  these  quantities  into  (14)  yields 


21 


3(2^  - -Pn)^+  (3z^. 


Pn^ 


(17) 


3Pn<^  - Pn'^+ 


3(2z-z^)  +(3z^-2z^)  (1-Pj^) 


1 + 2 p 


N 


Observe  that 


^m)  " 3 z ^ - 2 Z^  when  a 
In  P 


0 


If  the  service  life  of  the  airplane  is  laroe  compared  with  the 
time  constant  1/X  where  z = 1-e  XT  then  we  can  replace  P by 
Op.  If,  in  addition,  a <<  1,  then 


P(L^)  - 3(2z  - z ^ + (3z^  - 2z^) 

P 


(18) 


2-  6 z + 3z  ' 


after  a larqegnumber  of  missions  have  elapsed.  Typically, 

= 100  X 10”  for  a one  hour  mission.  For  a commercial  jet 
xrcraft  with  a service  life  of  60,000  hours  the  approximation 
of  (18)  is  valid  since  the  latent  failure  time  constant  is 
10,000  hours.  If  O.IxlO”  of  the  0.23x10"^  coal  for  commercial 
aircraft  is  allocated  to  computers  then,  in  order  to  meet  the 
^lioht  safety  reliability  ooal,  it  is  necessary  that 


a X 
P 


+ 3 X 10~®  s 0.  1 X 10 


.-6 


Solving  for  «p  yields 

0.  0001166 


22 


i.e.,  the  preflight  test  coverage  must  be  better  than  0.9998 
(i.e,,  99.98J5  of  all  failures  must  be  detected).  Equivalently, 
the  failure  rate  of  the  untested  equipment  must  be  less  than 
1.166  X 10“®  per  hour. 

In  practice  the  expression  for  P(Ljj)  of  (14)  can  be 
simplified  considerably,  if 

ap«l 

then  we  may  use  the  approximation 

1 s:  1. 

p(V 

Substitution  into  (14)  yields 

P(Lj^)  = P(Qn  * aj^)  +P(Qj^-  bj^)  +P(Qj^‘  cj^)  + P(Qj^*df^)  (19) 


approximately . 

Hencefortla,  in  order  to  distinguish  betv;een  inflight 
and  preflight  test  deficiencies,  the  former  v;ill  be  denoted  by 
a ^ and  the  latter  by  a p. 

At  this  point  we  summarize  the  successive  development 
of  the  reliability  model.  For  this  purpose  consider  the  triplex 
configuration  of  the  previous  example  except  that  each  channel 
is  self-monitored  inflight. 

Model  #1 


The  simplest  model  is  based  on  the  following 
assumptions; 

(1)  100X  inflight  coverage 

(2)  No  latent  failures  at  the  start  of  each 
mission 

(3)  No  nuisance  alarms. 

Accordingly,  the  probability  and  loss  of  system  is 
■»  — 1 2 

Z - 10  T , approximately. 


23 


Model  «2 


This  model  is  based  on  assumption  (2)  and  (3).  Then, 
the  probability  of  loss  of  system  is 

3 2 -12  3 -82 

Z +6ojZ  »10  T +6<m  xIO  X T , approximately. 

Model  #3 

In  this  model  only  assumption  (3)  is  retained.  As  a 
consequence,  the  probability  of  loss  of  system  is 

+ 6.1  + 6«p  [l-e-OOO.’  ("-’>’■]  2 . 

+ 6«i  x10“V  + 6. p [l-e p j,  pij-4 

approximately. 


A comparision  of  these  models  indicate  that  the  successive 
additional  terms  could  easily  dominate  the  preceding  terms. 

Thus,  a flight  safety  reliability  estimate  based  on  model  #1 
or  even  model  #2  could  be  excessively  optimistic, 

4.  Alternate  Measures  of  Flight  Safety  Reliability 

In  the  presence  of  latent  failures  the  probability,  P(L^), 
is  a function  of  mission  duration  and  number  of  elapsed  missions. 
In  this  case  there  is  an  ambiguity  in  the  meaning  of  flight 
safety  reliability  since  the  probability  of  a safe  mission 
is  time  dependent.  Several  options  are  available: 


a.  Require  that 

p<V 

— = — s flight  safety  reliability  goal 
for  all  N. 

This  is  a valid  criterion  for  a commercial  aircraft  whose 
service  life  is  well  in  excess  of  the  latent  failure  time 
constants  of  the  system  LRU's, 

b.  Require  that 

P(V 

— r; s flight  safety  reliability  goal 

^ for  NT  = service  life  of  the  air- 

plane. 

This  criterion  insures  that  P(L.,)  will  never  be  less  than  the 

5 

While  sufficient,  the  criterion  is  not  necessary  in  order  to 
meet  the  reliability  goals  as  estimated  from  field  data. 

c.  Require  that  some  "average"  value  of  P{Ivj)  be  less  than 
the  flight  safety  reliability  goal. 

T 

llie  average  (mean  failure  rate)  is  defined  to  reflect  th»e  way 
in  which  reliability  estimates  are  obtained  from  field  data, 
i.e.,  the  number  of  aircraft  losses  divided  by  the  number  of 
flight  hours  of  the  sample. 

Options  1 and  3 will  be  used  in  the  tradeoff  studies  to  follow. 

An  expression  for  the  mean  failure  rate  vrill  now  be  derived. 

Define 

S * Event  the  airplane  failed  sometime  during  the  first 
N missions. 


Thus 


P(S^  ' = probability  that  the  airplane  survived  the  first  K-1 
missions,  P(S  ) =1. 

P(L^)  =P(S^|S^.l) 

P(  L ) P(S  ) = probability  of  loss  of  the  airplane  during  the 
1\  1\-  1 

Kth  mission 

P(Sj^.l)  = (i-qi)(i-q2)...(i-qK_i) 


where 


Accordingly,  the  mean  time  to  first  failure  for  a single  air- 
plane is 


MTFF  = E KT  qj^(  1-qP  ( l-q2)...(  l-qj^_j) 
Observe  that  if 


q 


K 


= q = constant 


(20) 


then 


MTFF  = T,  as  expected. 

q 


The  MTFF  (or  its  reciprocal)  is  not  a particularly  desirable 
criterio’.i  of  flight  safety  because  a)  it  requires  a very  large 
number  of  computations  to  evaluate  and  b)  a typical  MTFF 
greatly  exceeds  the  service  life  of  the  airplane  and  c)  it 
bears  little  resemblance  to  the  way  in  which  reliability 
estimates  are  obtained  from  field  data. 


26 


d 


Mean  Failure  Rate 


An  alternate  measure,  the  mean  failure  rate,  is  de- 
fined as  follows:  Define  R as  the  ratio  of  airplane  losses  to 

total  flight  time  in  a sample  of  n airplanes.  Ihus 


R 


L n 
K=1 


K 


(21) 


N N 

S KTn^  + NT{n-£  n^) 

K=1  ^ K=1  ^ 

where  Dj^  = number  of  airplanes  lost  during  the  Kth  mission. 


K=1 


total  flight  time  of  all  airplanes  which  failed 
during  the  service  life. 


NT  = SL  = service  life 
T = duration  of  mission 
N 

( n-L  n^^)  = number  of  airplanes  which  reached  the  end  of  the 
K=1  service  life. 


Because  the  event.*?  n.  and  n , if^K,  are  independent,  the  ex- 
pected value  of  R is^the  ra^io  of  expected  values.  Thus, 


E(R) 


N 

S E(  n^) 


N 

I KTE(n^)+NT 


N 

n - S 
K=1 


E(n^) 


(22) 


We  interpret  the  Kth  mission  as  a Bernoulli  trial  with 
P = probability  of  loss  of  airplane. 

IN 

Therefore,  the  average  number  of  losses  during  the  Kth  mission 
is 


E(nj^)  = n pj^ 


(23) 


27 


and  the  average  flight  time  is 
E(KT  = KT  n p^. 

Substituting  (23)  and  (24)  into  (22)  yields 


E(R) 


N 

Z 

K=1 


npR 


N 

Z KT  n + NT 


N 

n~Z  n 
K=1 


V.| 


N 

Z 

K=1 


■K 


N 

Z KT  + NT 


N 


1-  Z 
K=1 


(24) 


(25) 


We  define 

M]=’R  (Mean  Failure  Rate)  « E(R), 

Example 

For  the  case  when  P(Lj^)  » q ■ constant,  we  certainly  expect  that 

1 s MFR 
MTFF 


where  MTFF  is  computed  according  to  (20) 
Prom  (20) 


• K-1 

MTFF  = L KT  q(  1-q)  = . 

K-1  Q 


28 


N 

E 

K=1 


q(  i-q) 


N 

Also  £ 
K=1 


•K 


= l-(l-q)*^ 


and  2 KT 
K=1 


N 

E KTq(l-q) 
K=1 


K-1 


T 

q 


i-(i-q) 


N 


- NT  ( 1-q) 


N 


Substituting  these  expressions  into  (25)  yields 
MFR  = q/T,  as  expected. 

Equation  (25)  can  be  simplified  by  observing  that  the  number  of 
airplane  losses  is  small  compared  with  the  numbers  of  airplanes 
involved.  As  a consequence  the  total  flight  time  may  be  approx- 
imated by  n NT.  Thus, 

N 

MFR  2 E 

K=1  • 

NT 


5.  Periodic  Tests 


Flight  safety  reliability  goals  may  impose  severe  re- 
quirements on  preflight  test  coverage.  It  will  be  shown  that 
some  configurations  require  coverages  in  excess  of  99.9X.  Un- 
fortunately, preflight  t^st  is  also  subject  to  operational 
requirements  which  limit  test  time,  test  equipment  and  accessi- 
bility to  system  components.  As  a consequence,  the  coverage 
attained  may  be  less  than  required.  A poor  initial  preflight 
coverage  can  be  effectively  improved  by  administering  an 
additional  and  more  complete  test  at  longer  periodic  intervals. 
For  purposes  of  this  discussion  this  periodic  test  is  assumed 
to  have  lOOX  coverage  in  order  to  simplify  the  computations. 

The  effects  of  periodic  testing  can  be  seen  in  Figure  1. 

The  dashed  curve  shows  the  probability  of  a latent  failure 
versus  NT  for  a channel  failure  rate  of  z * 300  x 10“®.  The 
solid  curve  is  the  resultant  failure  rate  with  periodic  testing 
where  N is  the  number  of  mission  between  periodic  tests. 


4'- 


29 


6 


. Effects  of  Failures  of  the  Test  Device  and  Disengage  Logic 

There  are  two  general  classes  of  failures  which  affect 
system  operation;  the  active  failure  vrhich  is  a failure  in 
the  command  chain  and  the  failure  of  the  test  device  or  dis- 
engage logic,  either  of  which  prevents  disengagement  of  the 
failed  channel.  The  effects  of  the  latter  type  failures 
depend  upon  the  configuration.  In  the  case  of  a self  test 
procedure  a failure  of  the  test  only  impairs  the  test  coverage 
in  the  failed  channel.  The  effects  of  these  failures  are  rela- 
tively straightforward  and  v/ill  be  discussed  presently.  The 
situation  is  more  complicated  with  comparison  monitorino  where 
a monitor  failure  could  impair  coverage  in  two  channels.  The 
difference  is  illustrated  in  the  following  example. 

Example 


The  configuration  is  dual  and  fail  passive.  (i.e.,  to 
trim)  As  a consequence,  loss  of  system  occurs  in  the  event 
of  either  channel  failing  undetected.  If  both  channels  are 
self  monitored  then  this  event  is 


E = F.A,  + F,A, 

s 1 I c c 

or 

Ec  = CFi  + Fj)  A 

with  a single  comparator  betv»een  channels.  Thus,  if  the 
channel  #1  test  fails 


and  if  the  comparator  fails 

E = F,+F_. 

c 12 

The  difference  could  be  significant. 


31 


However,  if  failures  of  the  test  are  ruled  out,  then 


P(E^)  = Vi^  Vz- 

, z z 

= 2 orz  - a z 

and 

2 2 
P(  Ec ) = 0(2.7 -z  ) = 2 OfZ  - orz  . 

Clearly,  the  difference  is  insignificant  in  this  case. 

For  purposes  of  this  discussion  there  is  no  distinction  made 
between  test  failures  and  disengage  failures  since  they  both 
prevent  removal  of  the  failure.  Let 

■ Event  of  failure  of  the  test  during  the  mission 

A = Event  of  an  alarm  of  the  LRU 

- P(F^) 

a *»  Test  deficiency  with  respfew^  to  the  LRU 

« Preflight  test  deficiency  with  respect  to  the 
test  device 

F ■ Event  of  failure  of  the  LRU  during  the  mission 
2 « P(D 

Then 

P(FA)  = P{FA|F^)  P(F^)  + P(FA|F^)  P(F^) 

P{  FA  I F^)  = oz 
P(FA;F^)  = z 


32 


In  this  last  expression  it  is  assumed  that  any  failure  of  the 
test  results  in  total  loss  of  coverage.  Accordingly, 


P(  FA ) = { a + z - a z ) z 

Thus,  the  test  deficiency  is  effectively  increased  from 
a to  a + z^  - a z^. 

In  general,  the  probability  of  loss  of  test  will  be  a 
function  of  elapsed  mission  due  to  latent  failures.  In  this 
case  is  replaced  by 


For  large  N the  probability  of  a failure  in  the  test  is 

z,  + <»t  - “t  \ 
and  the  deficiency  is 

O'  + z + a , approximately. 

For  a typical  fail-safe  comparator 

z = 1. 55  X 10'^ 


and 


= 0,  approximately, 

and  since  « is  typically  larger  than  .01  the  effects  of  failures 
of  the  LRU  test  can  be  neglected.  It  should  be  noted  that  z^,  as 
given  above,  does  not  include  single  point  failures,  as  mignt, 
for  example,  occur  in  the  power  supply  and  hence  could  affect 
all  comparators. 


33 


SECTION  4 


DESCRIPTION  OF  CANDIDATE  REDUNDANT  CONFIGURATIONS 

In  the  next  section  detailed  tradeoffs  will  be  presented 
for  several  versions  of  triplex  and  cruadruplex  configurations. 

In  this  section  several  basic  redundant  configurations  will  be 
presented  together  with  ground  rules  governing  failure  effects 
and  those  properties  of  secondary  actuators  and  signal  selection 
devices  that  are  pertinent  to  the  tradeoff  studies. 

1 . Secondary  Actuators 

A detailed  description  of  force-sunmed  redundant  secondary 
actuators  is  given  in  Appendix  IV,  For  purposes  of  the  tradeoffs 
the  following  properties  are  sufficient: 

Dual  Actuators 


The  output  is  the  mid-value  of  the  two  commands  and  a 
hypothetical  zero  command. 

Triplex  Actuators 

The  output  is  the  mid-value  of  the  three  commands, 

Quadruplex  Actuators 

The  output  is  the  mid-value  of  the  four  commands  and  a 
hypothetical  zero  command.  Upon  detection  and  disengagement  of 
a failed  quadruplex  actuator  the  configuration  reverts  to  a 
triplex  arrangement, 

2.  Signal  Selection  Device  (SSD) 

The  signal  selection  device  is  a majority  device.  If  an 
input  to  the  SSD  fails  and  is  detected  then  that  signal  is  dis- 
qualified and  the  SSD  proceeds  as  a majority  device  with  the 
remaining  signals.  The  SSD  output  is  considered  to  have  failed 
if  and  only  if 

a,  the  last  signal  input  fails  or 

b.  there  are  at  least  as  many  failed  (and  not  disquali- 
fied) inputs  as  non-failed  inputs 

Incidentally,  these  rules  of  failure  effects  also  apply 
to  the  secondary  actuators. 


No  distinction  is  made  between  passive  and  non-passive  failures 
of  the  system.  In  practice  it  is,  of  course,  desirable  that  the 
airplane  fail  to  a trim  condition  following  loss  of  system. 

Failure  Status  Events 

_ In  the  eU5sence  of  nuisance  alarms  the  four_events  FA,  FA, 

PA.  and  FA  associated  with  each  LRU  reduce  to  FA,  FA  and  F,  where 
F is  the  event  of  an  inflight  failure  of  che  LRU.  A similar  set 
of  events  is  defined  for  latent  fa.  'ures  except  that  fA  is  a 
vacuous  event.  Each  of  the  three  events  is  associated  with  an 
integer: 

fA,  FA  -*  1 

fA,  FA  — 2 

f,  F — 3 

Combinations  of  latent  and  inflight  failures  of  an  LRU  coriibine 
to  form  composite  failure  events  according  to  the  following 
table: 


TABLE  2.  COMPOSITE  FAILURE  EVENTS  FOR  AN  LRU 


LATENT 

1 

INFLIGHT 

2 

3 

1 

1 

2* 

1 

2 

3 

1 

2 

3 

♦This  event  could  have  designated  "1"  for  worst  case. 

According  to  the  table  a latent  failure  followed  by  an  undetected 
inflight  failure  is  an  undetected  failure.  Also,  a latent  fail- 
ure followed  by  a detected  failure  is  considered  to  be  a detected 
failure. 

If  X,  Y,  Z designate  the  composite  failure  events  of  the 
three  inputs  to  a triplex  voter  (SSD)  then  the  voter  fails  for 
the  following  combinations:  of  X,  Y and  Z; 

(1,  1,  1)  and  all  combinations 

(1,  1,  3)  and  allcombinations 


35 


(1,  2,  2)  and  all  combinations 
(1,  2,  3)  and  all  combinations 
(2,  2,  2)  and  all  combinations 

These  rules  are  in  accordance  with  the  rules  already  estab- 
lished for  SSD's.  Observe  that  a detected  failure  effectively 
disqualifies  that  input  to  the  SSD.  A similar  set  of  combina- 
tions are  defined  for  the  quadruplex  SSD.  Of  tbase,  only  a few 
are  enumerated: 


(1, 

1, 

3, 

3) 

and 

all 

combinations 

(2, 

2, 

1, 

3) 

and 

all 

combinations 

(2, 

2, 

2, 

1) 

and 

all 

combinations  etc 

When  nuisance  alarms  are  allowed,  the  status  events  FA  and 
Fa  have  the  same  effect*  as  a detected  failure.  Therefore,  both 
events  are  associated  with  a "2”  type  status  event  where 


P(  FA  + FA)  = P(A)  = ll^  ^ 

l‘-p|  ■ _ 

The  *3"  type  status  event  becomes  FA  where 


P(FA)  = 1 - 


z. 


The  effects  of  nuisance  alzunns  on  flight  safety  reliability 
will  be  established  in  the  tradeoffs. 

3.  Effects  of  Mission  Duration,  T 

In  the  absence  of  latent  failures  the  probability  of  loss 
of  aircraft  depends  only  upon  mission  duration,  T.  In  this  case 

P{  = constant. 


* Here  we  overlook  the  fact  that  loss  of  a triplex  system,  for 
example,  due  to  three  nuisance  alarms  does  not  represent  loss 
of  the  airplane  if  the  pilot  has  reset  capabiJlty. 


36 


It  will  be  shown  that  the  dominant*  failure  combination 
in  the  triplex  arrangement  is  the  pair 

F.-A.-F. 

1 1 J 

where  i and  j are  channel  designations  and  i j.  Therefore 

P(LJ  ^ P(F.A.F.)  = 

N 1 I j 

(where  V denotes  "proportional  to")  and  the  loss  rate  is 

~ az^  ^ T 


since  z <\/  T . 

In  the  quadruplex  arrangement  the  dominant  failure 
combination  is 

F.A.  F.A.  and,  hence, 

1 1 J J 

P(L^,)  ^ P(F.A.F.A.)  = 

N'  ' 1 i J j' 


In  both  the  triplex  and  quadruplex  configurations  the  loss  rate 
is  then  proportional  to  mission  time. 

iThen  latent  failures  are  present  the  situation  is  quite 
different  because  the  latent  failure  combinations  dominate  for 
most  of  the  service  life.  In  the  triplex  configuration  the 
dominant  failure  event  is 

f.  F.  and.hence. 

I J 

P(Lj^)  -Plf^F.)  z 

and  P(L«)  is  independent(approximately)  of  T, 


Similarly,  the  dominant  failure  combination  of  the  quadruplex 
configuration  is 


fjl^  and,  hence. 


* Excluding  single  point  failures. 


37 


P(Lj^)  ~ P(f.  F.A.)  = a^{  o-z 

and  ?(%)  is, again,  independent  of  T. 

f 

In  the  event  that  primary  actuator  failures  are  the  dominant 
failures  then  t \ -n/  t;'  \ t* 

P(  V ~P<^Actuator^  ~ ^ 

and  P(  L,j^)  is  independent  of  T. 

f 

4 . Self  Tested  Versus  Comparison  Monitored  Configurations 

In  the  tradeoff  studies  the  only  distinction  made  between 
an  inflight  self  tested  and  comparison  monitored  system  is  that 
the  comparison  monitored  system  requires  at  least  two  good 
channels  for  non-failed  operation.  Thus,  a failure  combination 
such  as  (2,  2,  2,  3)  would  represent  a failed  system  if  the 
configuration  were  quadruplex. 

Self  tested  channels  are  only  used  in  the  dual  and  triplex 
configurations.  This  approach  is  justified  because  the  added 
benefits  of  self  test  tend  to  be  negligible  in  the  quadruplex 
system  compared  with  more  dominating  failures  such  as  single 
point,  latent  and  inflight  undetected. 

According  to  the  ground  rules  already  established  a com- 
parison monitored  triplex  system  does  not  provide  any  advantages 
over  an  unmonitored  (i.e.,  inflight)  system.  The  major  benefits 
of  comparison  monitoring  in  the  triplex  system  are 

a.  First  failure  does  not  propagate  to  the  surface  and 

b.  Second  failure  following  a detected  first  failure 
results  in  a passive  failure  of  the  airplane. 

c.  Pilot  is  warned  of  failed  channel.  He  then  has  the 
option  of  aborting  the  mission  (a  factor  which  effectively 
increases  flight  safety  reliability) . 

However,  it  has  already  been  assumed  that  the  force  summed 
actuators  will  prevent  an  undetected  failure  from  propagating  to 
the  surface,  whether  detected  or  not,  and  no  distinction  was 
made  between  passive  and  non-passive  loss  of  system.  In  practice, 
of  course,  this  is  an  important  consideration;  but  it  was  not  a 
factor  in  the  tradeoffs.  If  good  inflight  coverage  is  required, 
a completely  self  tested  channel  is  difficult  to  achieve  without 
a significant  increase  in  cost  of  extra  hardware  or  software  in 
the  form  of  servo  models,  self-tested  sensors,  performance 
monitors,  reasonableness  tests,  sensor  stimuli,  etc.  However, 


38 


the  cost  depends  upon  the  coverage  required  and  it  is  this  basic 
requirement  that  will  be  determined  in  the  tradeoffs. 

5.  Triplex  Versus  Quadruplex 

Before  proceeding  to  a description  of  the  configurations, 
there  are  several  aspects  of  the  triplex  versus  quadruplex 
tradeoff  which  deserve  a separate  discussion. 

a.  With  a force  summed  servo  arrangement  two  undetected 
failures  in  a quad  configuration  could  result  in  a passive 
failure  of  the  airplane  (provided  that  trim  is  maintained) . In 
a triplex  configuration  two  undetected  failures  could  result  in 
a non-passive  failure  of  the  airplane.  The  quad  configuration 
has  a clear  advantage  in  this  respect. 

b.  There  is  one  feature  of  the  quadruplex  comparison 
monitored  configuration  which  has  significant  implications  re- 
garding the  benefits  of  that  arrangement.  In  the  triplex,  self- 
test configuration  the  dominant  failure  combinations  have  the 
form 

F.A.F.,  f.F. 

1 1 J 1 J 

where  f and  F denote  latent  and  inflight  failures,  respectively. 
Thus,  an  undetected  failure  followed  by  any  failure  could  result 
in  loss  of  system.  In  the  quad  configuration  the  dominant  fail- 
ure combinations  are 

F.A.F.A.,  f.F.A., 

1 I J J I J J 

Thus,  two  undetected  failures  could  result  in  loss  of  system.  If 
comparison  monitoring  is  used  exclusively,  then  there  is  a possi- 
bility that  an  undetected  failure  in  one  channel  will  impair 
'■jverage  of  subsequent  inflight  failures  in  the  remaining 
channels.  Taking  the  worst  case,  if  subsequent  inflight  cover- 
age is  zero  following  an  undetected  failure,  then  the  dominant 
failure  combinations  of  the  quad  comparison  monitored  configura- 
tion are 

F,A,  F.  and  f.F,. 

1 i J 1 J 

Comparing  these  events  with  those  of  the  triplex  arrangement  it 
can  be  seen  that  the  quad  conf igurat.ion  provides  no  benefits 
over  the  triplex  unless  inflight  coverage  is  significantly 
better,  as  it  must  be  in  order  to  compensate  for  the  larger 
number  of  combinations  of  the  form  FjAjFj  in  the  quad  arrange- 
ment. If  preflight  test  coverages  are'^tne  same  in  both  con- 
figurations then  the  latent  terms  could  become  dominant.  Again, 
because  there  are  more  such  combinations  in  the  quad  configura- 
tion the  triplex  would  provide  greater  flight  safety. 


39 


As  a consequence  of  these  observations  it  is  assumed  that  com- 
parison monitoring  is  always  augmented  by  other  techniques  of 
inflight  testing  in  order  to  insure  a minimum  impairment  of 
coverage  following  an  undetected  failure.  In  the  tradeoffs  to 
follow  it  is  assumed  that  coverage  of  subsequent  failures  is  not 
significantly  impaired  following  an  undetected  failure  in  a quad 
channel . 

6.  LRU  Failure  Rates 


As  indicated  in  Appendix  I,  the  following  LRU  failure  rates 
are  assumed: 


Primary  Actuator  (Pitch#  Yaw#  Roll) 
Secondary  Actuator  (Pitch#  Roll#  Yaw) 
Accelerometer  (Pitch#  Yaw) 

Rate  Gyro  (Pitch#  Roll,  Yaw) 


= 0.5  X 10“® 
= 100  X 10"® 
= 20  X 10"® 

= 25  X 10"® 


Stick  Force  Sensors  (Pitch#  Roll#  Yaw)  = 5 x 10"® 


Digital  Computer 


= 120  X 10 


-6 


The  secondary  actuator  failure  rate  does  not  include  the  hy- 
draulic supply  which  could  double  the  indicated  failure  rate. 


7.  Dual  Configuration 

Although  the  emphasis  of  the  study  is  on  triplex  and  quad 
configurations#  the  dual  configuration  will  be  discussed# 
briefly,  for  purposes  of  comparison.  In  order  to  simplify  the 
computation  it  is  assumed  that  the  digital  computers  are  cross 
strapped  and  the  sensor  failure  rates  are  zero.  Both  channels 
are  self  tested.  The  event  of  loss  of  system  for  a secondary 
actuator  or  a digital  computer  is 

E » F-iFj+F^A-i  + FjA2 


and 


P(E)  = 
where  P (F-j ) 


2^  +02+OZ  , 

= P(F2)  « 2. 


approximately# 


40 


Digital  Computer 

P(E)  « (120  X 10-6)2  +2a  (120  x lO”®) 

« 240  a X 10-6,  approximately. 

Secondary  Actuators 

P(E)  « (100  X 10-6)2  X2a  (100  x 10-6) 

» 200  a X 10-6,  approximately. 

Combining  three  sets  of  secondary  and  primary  actuators  yields, 
for  the  probability  of  loss  of  system  in  one  hour, 

840  a X 10-6  + 1.5  x 10-6,  approximately. 

In  order  to  meet  the  goal  of  3.0  x 10-6  we  require 

840«  X 10-6  + 1.5  X 10-6  < 3.0  x 10“6 

or  a < 1.5  « .001 0 

4 m 

i.e.,  99.9%  of  all  Inflight  failures  must  be  detected. 

In  addition  to  this  high  inflight  coverage  requirement, 

. failures  must  be  detected  rapidly  since  it  must  be  presvuned 

that  the  airplane  is  out  of  control  (but  passive)  until  the 
failed  channel  is  detected  and  removed. 

‘ 8.  Triplex  Configuration 

The  basic  inflight,  self  tested  triplex  configurations  are 
shown  in  Figures  2 and  3 with  no  cross  strapping  and  full 
cross  strapping,  respectively.  The  cross  strapping  is  ideal  in 
!•  that  there  are  no  failure  probabilities  associated  with  cross 

^ strapping.  The  effective  locations  of  the  cross  straps  are 

indicated  by  boxes  labelled  "V.  Details  of  these  signal  selec- 
tion devices  are  contained  in  Appendix  VI,  If  the  voting  of 
sensors  in  Configurations  1 and  2 is  performed  in  computer  soft- 
* ware  and  the  cross  strapping  of  signals  is  done  digitally  through 

intercomputer  data  buses,  a computer  failure  could  cause  simul- 
taneous failures  of  the  monitoring  and  cross  strapping.  If  mon- 
itoring of  the  secondary  actuators  is  performed  by  the  digital 
computers  via  data  links  between  the  servos  and  computers,  and 
cross-strapping  of  the  computer  outputs  is  performed  by  the  s£une 
or  similar  data  links,  data  link  and  interface  component  failures 
as  well  as  computer  failures  could  fail  monitoring  and  cross 


4r 


/ 


i 


41 


U3 


<s^A/so/es 


V) 


n 

n 

O 

M 

u 


3 

tM 

c 

o 

■M 

4J 

« 


O' 

•H  M 
<4-1 

C C 
O 0 
O •r^ 

■u 
•a  IB 

0>  M 
44  9 
n tr 

0)  -H 
44  <M 

a 

44  0 
H 0 
0) 

M (T 
C 

44  04 
JS  04 

(7>  IB 
•H  U 
H 44 
44  m 

e 

•r4 


K 

V 

rH 

04 

•H 

M 


ro 

<U 

M 

3 

O' 

•rl 

Em 


strapping  simultaneously.  Such  considerations  complicate  the 
analysis  of  any  actual  system  and  tend  to  obscure  the  basic 
potentialities  of  the  redundant  system.  Ideally,  in  a well- 
designed  system,  the  failure  rates  of  any  auxiliary  cross 
strapping  and  monitoring  components  should  be  considerably  less 
than  those  of  the  components  in  the  main  signal  chains.  The 
same  is  true  of  any  logic  and  automatic  disengagement  features 
that  might  be  required  to  insure  operation  after  one  or  two 
failures.  Of  course,  great  care  must  be  exercised  to  insure 
that  no  single  failure  with  a probability  approaching  the  flight 
safety  goal  can  cause  complete  loss  of  the  system.  In  the  pre- 
sent trade  studies,  all  auxiliary  components  including  voters 
are  assumed  to  have  zero  failure  probabilities.  In  order  to 
obtain  the  added  reliability  benefits  of  cross  strapping  the 
cross  straps  at  the  output  of  the  digital  c(xnputers  must  be 
dedicated  devices  controlled  by  dedicated  logic. 

9.  Quadruplex  Configurations 

The  basic  quadruplex  configurations  are  shown  in  Figures 
4 and  5 with  no  cross  strapping  and  full  cross  strapping^ 
respectively.  The  quadruplex  configurations  are  "comparison 
monitored”  as  defin^  previously.  Explicit  techniques  of  cross 
channel  monitoring  are  discussed  in  Appendix  VI  and  in  Reference 
1 and  5. 

10*  Triplex  with  Back-Up  Configuration 

From  a previous  discussion  of  the  relative  merits  of  the 
triplex  versus  quadruplex  configuration,  it  is  apparent  that  the 
added  reliability  Improvement  of  the  quad  arrangement  is  not 
commensurate  with  what  would  be  expected  from  the  extra  channel 
of  redundancy.  Essentially,  this  is  due  to  the  even  number  of 
channels  which  require  inflight  monitoring  in  order  to  realize 
the  advantage  of  redundancy. 

The  basic  triplex  with  back-up  configurations  are  shown  in 
Figures  6 and  7 with  no  cross  strapping  and  full  cross 
strapping,  respectively.  For  purposes  of  the  tradeoffs  the  back- 
up channel  is  assumed  to  be  identical  to  the  other  channels.  In 
practice,  however,  the  back-up  electronics  would  be  analog  with 
the  minimal  get-home-and-land  capability.  As  a consequence,  the 
back-up  channel  requires  no  inflight  testing  and  can  be  thorough- 
ly tested  in  preflight  test.  In  the  tradeoffs  the  back-up 
channel  is  not  tested  Inflight  and  its  preflight  coverage  is 
assumed  to  be  the  same  as  the  other  channels. 


44 


a.  Disenqage/Engage  Strategy 


Upor  detection  of  the  first  failure,  the  failed 
channel  will  au'  jmatically  disengage.  An  alternative  is  to 
annunciate  the  failure  and  let  the  pilot  manually  disengage  the 
failed  channel.  In  any  case  the  strategy  for  a first  failrre  is 
not  critical.  This  is  a consequence  of  our  assu* option  that  an 
undetected  failed  channel  will  result  in  little  or  no  degradation 
in  performance  because  of  the  mechanical  voting  of  the  actuators. 
In  the  event  of  a second  detected  failure,  the  triplex,  in-line 
channels  will  be  automatically  disengaged  and  the  back-up  channel 
engaged.  If  the  second  failure  is  not  detected,  we  make  the 
assumption  that  the  pilot  can  recognize  loss  of  control  and 
manually  engage  the  back-up  before  serious  damage  occurs.  It  is 
difficult  to  envision  how  a back-up  channel  can  be  used  to  any 
advantage  if  it  is  assumed  that  the  pilot  either  cannot  recognize 
loss  of  control  or  cannot  uianually  engage  the  back-up  in  time  to 
avert  serious  damage.  This  would  imply  that  any  two  failures  of 
the  inline  channels,  one  of  which  is  undetected,  may  result  in 
loss  of  the  airplane.  The  back-up  configuration,  under  these 
conditions,  would  compare  unfavorably  with  a straight  quadruplex 
configuration  where  loss  of  control  requires  two,  undetected 
failures,  or  three  detected  failures.  While  the  back-up  channel 
loses  its  effectiveness  if  the  assumption  is  invalid,  the  valid- 
ity of  this  assumption  remains,  nevertheless,  an  open  question. 

In  previous  configurations  we  took  the  conservative 
position  and  equated  loss  of  control  with  loss  of  the  airplane, 
i.e,  the  airplane  failed  to  a non-trim  condition.  We  now  modify 
this  position  and  distinguish  between  passive  and  non-pa*?sive 
states  of  the  airplane  following  loss  of  control.  Table  3 
summarizes  the  effects  of  loss  of  control  as  a function  of  de- 
tected, undetected,  passive  and  non-passive  failure  sequences 
in  a triplex  configuration.  The  table  entries  were  obtained 
assuming  a force-summed  servo  model.  From  the  table  it  can  be 
seen  that,  of  the  16  possible  failure  sequences,  14  result  in 
passive  loss  of  control.  Only  when  the  first  failure  is  unde- 
tected and  non-passive  and  is  followed  by  a second  non-passive 
failure  does  loss  of  control  result  in  a non-passive  state  of 
the  airplane.  Accordingly,  our  original  assumption  can  be  re- 
stated as  follows: 

In  a FEW  primary  control  system, 

(1)  the  pilot  can  recognize  passive  loss  of  control 
and  manually  engage  the  back-up  channel  in  time  to  avert  serious 
damage  to  th  airplane,  and 


49 


(2)  the  event  of  an  undetected,  non-passive  first 
failure  followed  by  a non-passive  second  failure  is  remote  or  if 
not  remote,  the  pilot  will  recognize  the  failure  and  manually 
engage  the  back-up  channel  in  time  to  avert  serious  damage.  This 
latter  presumption  is  justified  on  the  grounds  that  the  back-up 
configuration  presents  the  clear  and  unique  alternative  of  engag- 
ing the  back-up  channel  upon  the  occurrence  of  the  second  failure. 
There  is  no  time  wasted  in  determining  which  of  the  remaining 
channels  are  non-failed  as  is  the  case  with  the  quadruplex  con- 
figuration. No  distinction  is  made  between  passive  and  non- 
passive failures  following  loss  of  the  system.  In  practice  it 
is,  of  course,  desirable  that  the  airplane  fail  to  a trim  con- 
dition following  loss  of  system. 


TABLE  3.  RESULTANT  AIRCRAFT  STATES  FOLLOWING  LOSS  OF 
CONTROL  IN  A TRIPLEX  CONFIGURATION 


1st  Failure  1st  Failure  2nd  Failure  2nd  Failure  Effect  on 
Detected Undetected  Detected  Undetected  Aircraft 


P P 

P 

P NP 

P 

NP  P 

NP 

NP  NP 

NP 

P P 

P 

P NP 

P 

NP  P 

NP 

NP  NP 


NP 

P = Passive  Failure 
NP  = Non-Passive  Failure 


P 

P P 

P 

NP  P 

P 

P P 

P 

NP  P 

P 

P P P 

P 

NP  P 

P 

P P 

P and  NP 
Transient 

NP  NP 


50 


As  a direct  consequence,  the  triplex,  in-line  channel  perform- 
ance is  assumed  to  be  independent  of  inflight  failure  detection 
capability  and  loss  of  the  airplane  occurs  only  if  two  of  the 
triplex  channels  fail  followed  by  a failure  of  the  back-up 
channel . 


Although  inflight  monitoring  may  not  be  required  for 
improved  flight  safety  (e.g.,  the  loss  of  two  channels  may  be 
sufficiently  improbable)  it  should  be  included,  in  practice,  to 
appraise  the  pilot  of  system  status  so  that  he  may  abort  the 
mission,  if  desired.  If  automatic  disengagement  of  the  triplex 
system  is  allowed  then  nuisance  alarms  could  degrade  flight 
safety  reliability. 

The  dominant  failure  combinations  of  the  back-up 
configuration  are 

<'b  ^ "'b>-  '/j  '^B  ^ 

where  the  subscript  "B"  denotes  back-up  channel.  Observe  that 
inflight  testing  is  not  required  for  improved  reliability.  The 
benefits  of  the  back-up  configuration  can  be  seen  by  comparing 
its  dominant  failure  combinations  with  those  of  the  triplex  ai^ 
quad  arrangements,  i.e,,  _ 

F.A.F.,  f.F.  (Triplex) 

1 1 j 1 j ^ ' 

F.A.  F.A.,  f.F.A.  (Quad) 

1 1 J J 1 J J ' 

Test  Coverage 

In  order  to  simplify  the  computations  all  LRU's 
are  assumed  to  have  the  same  inflight  and  preflight  test  coverage 
(i.e.,  1-a  £ and  1-  « p,  respectively)  and  the  same  nuisance 
alarm  sensitivity,  p , 

Loss  of  Airplane 

In  the  tradeoffs  loss  of  airplane  is  equivalent  to 
loss  of  at  least  one  axis,  in  a cross  strapped  configuration 
this  will  occur  whenever  the  output  of  a signal  selection  device 
(including  secondary  actuators)  fails. 

1 1 . Aborts 


It  has  been  established  from  field  data  that  the  abort  rate 
of  fighter  aircraft  due  to  failures  of  the  PFCS  is  several  orders 
of  magnitude  greater  than  the  loss  rate  (e.g,,  420  x 10~6  com- 
pared with  3.8  X 10 for  the  F-4).  Although  there  is  an  element 


51 


of  arbitrariness  in  any  definition  of  abort  the  following  abort 
strategy  appears  to  be  reasonable: 

A mission  is  presumed  to  be  aborted  when: 

Triplex 


A single  LRU  alarms  in  any  axis, 
computers  and  secondary  actuators. 

Quad 


This  includes  sensors, 


Two  LRU's  supplying  inputs  to  any  signal  selection 
device,  in  any  axis,  alarm. 

Triplex  with  Back-Up 

The  pilot  switches  to  the  back-up  channel. 

Calculated  Abort  Rates 

Following  the  prescribed  strategies  abort  rates  are 
calculated,  approximately,  for  each  of  the  candidate  configura- 
tions. 

Triplex,  Configurations  1 and  2 

Abort  Rate  « 1-«  x 1650  x 10**®  aborts/flight  hour 

Quadruplex,  Configuration  1 (Worst  Case) 


Abort  Rate 


(t^) 


X 1.13  X 10”®  aborts/flight  hour 


Triplex  with  Back-Up,  Configuration  1 (Worst  Case) 

Abort  Rate  » 1-ox  1.13  x 10”®  aborts/flight  hour 

T“ 

In  arriving  at  this  last  result  we  took  the  conserva- 
tive approach  and  assumed  that  one  of  the  channels  was  disengaged 
due  to  a nuisance  alarm  indication. 

From  these  results  it  can  be  seen  that  the  abort  rate 
of  the  triplex  configuration  is  about  4 times  that  of  the  F-4, 
assuming  no  nuisance  alarms.  If  only  one  alarm  out  of  every  two 
is  a nuisance  alarm  (i.e.,  fi  • 1/2)  then  the  abort  rate  is  8 
times  that  of  the  F-4.  The  abort  rates  of  the  quad  and  back-up 
configuration  are  several  orders  of  magnitude  less  than  that  of 
the  F-4. 


52 


SECTION  5 


TRADEOFF  OF  REDUNDANT  CONFIGURATIONS 

All  configurations  are  evaluated  for  a one  hour  mission. 

Loss  of  airplane  is  defined  as  a failure  of  at  least  one  of 
three  axes.  The  effects  of  mission  duration  have  already  been 
discussed  in  Section  4 where  it  was  concluded  that,  because  of 
the  dominance  of  latent  failure  probabilities,  P(Ln)  and  MFR  tend 
to  be  independent  of  mission  time.  It  will  be  T shown, 
subsequently,  that  the  dominance  of  single  point  failures, 
particularly  the  primary  actuators,  tends  to  equalize  the  rela- 
tive differences  between  configurations.  For  this  reason  each 
configuration  is  evaluated  for  two  primary  actuators  with  fail- 
ure rates  of  0 and  0.5  x 10“®/f light  hour/axis,  respectively. 


Tradeoff  Parameters  Identified 


Configurations  are  evaluated  in  terms  of  the  following 
parameters: 

P(Loo  ) versus  1-  aj^;  i-  «p  » i.o 

P(Loo  ) is  the  steady  state  value  of  P(Ljj).  As  indicated 
previously  this  parameter  is  a valid  criterion  for  a commercial 
aircraft  whose  service  life*  is  well  in  excess  of  the  effective 
latent  failure  time  constant. 

P(Loo  ) versus  1- « *=  .95 


This  graph  shows  the  sensitivity  to  preflight  test  coverage 
assuming  an  inflight  test  coverage  of  95JJ.  The  inflight  test 
coverage  was  selected  because  it  is  achievable  without  being 
prohibitive  in  terms  of  extra  hardware,  memory  or  real  time. 

In  any  case  th'3  results  are  not  especially  sensitive  to  this 
parameter . 

P(Ljj)  versus  Mission  Time;  1-  = .95;  1-  o„  ss  .999 


This  parameter  versus  time  shows  the  effective  latent  fail- 
ure time  constant  and  the  resultant  degradation  of  flight  safety 
reliability  with  time.  The  maximum  time  shown  is  5000  hours 
since  this  value  is  approximately  the  service  life  of  a typical 
fighter  aircraft.  The  dashed  horizontal  lines  are  the  steady 
state  values  of  P(Ljj).  Observe  that  preflight  test  coverage  is 
99. 9X.  Preflight  coverage  greater  than  99.9X  may  be  extremelv 
difficult  to  achieve.  * ^ 

♦ A typical  service  life  is  60,000  hours. 


53 


MFR  versus  1-  a^;  1“  “p  = .999;  SL  = 5000  hours 
MFR  versus  1-  Op,-  1-  = .95.  SL  = 5000  hours 


These  graphs  show  the  sensitivity  of  mean  failure  rate  to 
inflight  and  preflight  test  coverage,  respectively.  The  mean 
failure  rate  is  calculated  for  a service  life  of  5000  hours. 

MFR  versus  Np;  1- a = .95,  1- a p = .999,  SL  = 5000  hours 


This  graph  shows  the  improvement  in  mean  failure  rate  as  a 
function  of  the  number  of  missions  between  periodic  tests  of 
100J5  coverage.  The  parameter,  Np,  denotes  the  number  of  missions 
between  periodic  tests. 

2.  Results 


Figures  8,  9 

From  these  figures  it  can  be  seen  that,  assuming  a 
100J!  preflight  test  coverage,  all  configurations  result  in 
acceptable  flight  safety  reliability  for  a wide  range  of  inflight 
test  coverages.  The  equalizing  effect  oi  the  single  point  pri- 
mary actuator  failures  can  be  seen  by  comparing  the  two  figures. 
For  inflight  test  coverage  of  the  order  of  0.95  all  configura- 
tions are  compatible  with  the  commercial  transport  flight  safety 
goal  of  0.23  x 10"^/hour  in  the  sense  that  flight  safety  reli- 
ability will  be  determined  primarily  by  single  point  failures. 

Figures  10,  11 

The  degrading  effects  of  non-peifect  preflight 
test  coverage  can  be  seen  in  these  figures  where  it  has  been 
assumed  that  inflight  test  coverage  is  0.95.  Several  conclusions 
may  be  inferred  from  these  figures; 

a.  Cross-strapping  improves  incremental*  flight  safety 
reliability  by  a factor  of  10  whereas  with  perfect  preflight 
test  coverage,  the  improvement  is  a factor  of  3 or  4. 

b.  The  triplex  configuration  is  most  sensitive  to  latent 
failures  and  the  triplex  with  back-up  configuration  is  the  least 
sensitive.  Figure*  10  is  summarized  in  Table  4. 


♦incremental  = excludes  primary  actuator  failure  rates. 


54 


TABLE  4.  INCREMENTAL  P (L<»)  VERSUS  PREFLIGHT  TEST  COVERAGE 

(FIGURE  10) 


♦Triplex  #1 
♦Triplex  #2 
♦Quad  #1 
♦Quad  #2 

Triplex  #1  With  Back-Up 
Triplex  #2  With  Back-Up 


1-  flp=.99 

202.75x10-6 

33.53x10-6 

19.462x10-6 

3.326x10-6 

10.7x10-6 

2.3588x10-6 


1-  ap=.999 

22.617x10-6 

3.427x10-6 

2.259x10-6 

.342x10-6 

.13x10-6 

.0267x10-6 


1- a p=.9999 

2.337x10”® 

.3558x10-6 

.2323x10-6 

.0350x10-6 

.00237x10-6 

.00735x10-6 


♦1-  tti  = .95 

Figures  12,  13 

The  degradation  of  flight  safety  reliability  with  time  can 
be  seen  in  these  figures  where  preflight  test  coverage  is  assumed 
to  be  0.999  for  all  configurations.  Observe  that  there  is  a con- 
siderable difference  between  P(L«>)  and  P(Lk)  when  KT  =*  5000 
hours.  This  is  due  to  the  small  effective  latent  failure  time 
constant  of  the  overall  system.  Figure  12  is  summarized  in 
Table  5. 


TABLE  5.  INCREMENTAL  P (Lj^)  AT  5000  HOUP5  VERSUS  PREFLIGHT  TEST 

COVERAGE  = .999  (FIGURE  12) 


♦Triplex 

#1 

4.65x10-6 

♦Triplex 

#2 

1.135x10-6 

♦Ouad  #1 

.4644x10-6 

♦Quad  #2 

.113  X 10-6 

Triplex  #1  with  Back-Up  . 0080x1 0”6 
Triplex  #2  with  Back-Up  .0027x10-6 
♦ 1-  o£  = .95 


55 


As  in  all  figures  the  triplex  with  back-up  configuration  provides 
superior  reliability  performance. 

Figures  14»  15 

These  figures  show  the  insensitivity  of  mean  failure 
rate  to  inflight  test  coverage  for  all  configurations.  The 
triplex  with  back-up  configurations  are  not  shown  since  inflight 
test  coverage  is  assumed  to  be  0. 

Figures  16/  17 

A comparison  of  incremental  P(Loo),  MFR  and  at 

5000  hours  for  all  configurations  is  given  in  Table  6,  Pre- 
flight test  coverage  is  .999  and  inflight  test  coverage,  where 
applicable,  is  0.95. 


TABLE  6.  INCREMENTAL  P (L„),  P (L„)  AT  5000  HOURS,  MFR  WITH 
PREFLIGHT  TEST  COVERAGE  = .999  (FIGURE  16) 


Incremental 

P(Loc) 

Incremental 
P(Lk)  at 
5000  Hours 

Incremental 

MFR 

♦Triplex 

#1 

22.617x10-6 

4.65  X 10-6 

2.5x10-6 

♦Triplex 

#2 

3.427x10-6 

1.135x10-6 

.62x10-6 

♦Quad  #1 

2.259x10-6 

.464x10-6 

.25x10-6 

♦Quad  #2 

.342  X 10-6 

.113x10-6 

.0615x10“® 

Triplex 

#1 

with 

Back-up 

.13x10-6 

.0080x10“6 

.0034x10-6 

Triplex 

#2 

With 

Back-Up 

.0267x10-6 

.0027x10"® 

.00175x10“® 

* 1-  Oi  = .95 

From  the  table  and  the  figures  it  can  be  seen  that  MFR  is  a less 
conservative  estimate  of  flight  safety  reliability  than  either 
P (L^„)  or  P(Lj^)  at  5000  hours. 


56 


Figures  18>  19 

These  figures  show  the  effective  improvement  in  mean 
failure  rate  witn  periodic  (100X  coverage)  testing.  A comparison 
of  incremental  MPR  for  all  configurations  is  given  in  Table  7. 
Preflight  test  coverage  is  0.999  and  inflight  test  coverage, 
where  applicable,  is  0.95. 


TABLE  7.  MFR  VERSUS  PERIODIC  TESTING  WITH  PREFLIGHT  TEST  COVERAGE 

= .999  (FIGURE  18) 


MFR 

No  Periodic  MFR  MFR 


Test 

Np  = 1000 

Np  = 500 

♦Triplex 

#1 

2.5x10-6 

.61x10-6 

.335x10"® 

♦Triplex 

#2 

.62x10-6 

.152x10-6 

.0839x10"® 

♦Quad  #1 

.25x10-6 

.031x10-6 

.053x10"® 

♦Quad  #2 

.0615x10"® 

.0132x10"® 

.0077x10"® 

Triplex 

#1 

with 

Back-Up 

.0034x10-6 

.00054x10-® 

.000336x10"® 

Triplex 

#2 

with 

Back-Up 

.00117x10"® 

.000019x10" 

6.000117x10"® 

* 1-  = .95 

It  can  be  seen  from  the  table  that  a periodic  test  at  an  interval 
as  large  as  1000  hours  results  in  a considerable  improvement  in 
flight  safety  reliability. 

3 . Conclusions 

a.  In  all  configurations  the  benefits  of  redundancy  tend 
to  be  negated  by  the  dominating  influence  of  latent  and  single 
point  failures. 

b.  Cross-strapping  can  provide  a significant  improvement 
in  flight  safety  reliability*  primarily  because  of  the  dominance 
of  latent  failure  probabilities. 


♦As  defined  by  any  of  the  several  criteria  proposed. 

1 


/ 

57 


c.  Because  of  the  dominance  of  latent  failures  flight 
safety  reliability  is  relatively  independent  of  a given  mission 
time. 

d.  A triplex  configuration  augmented  by  a back-up  channel 
is  less  sensitive  to  the  effects  of  latent  failures  than  the 
straight  triplex  or  quadruplex  configurations. 

e.  Preflight  test  coverage  requirements  depend  upon  con- 
figuration and  flight  safety  goals.  The  requirements  can  differ 
significantly  depending  upon  the  definition  of  flight  safety  re- 
liability and  whether  or  not  periodic  testing  is  employed.  As 
an  indication  of  the  possible  variation  Table  8 shows  the  pre- 
flight test  coverage  required  to  meet  an  incremental  flight 
safety  goal  of  1.0  x 10“6  for  the  Triplex  #2  configuration. 


TABLE  8.  PREFLIGHT  TEST  COVERAGE  REQUIRED  TO  ACHIEVE  INCREMENTAL 
FLIGHT  SAFETY  RELIABILITY  GOAL  OF  1.0  x 10“6  WITH  INFLIGHT 

TEST  COVERAGE  = .95 

MFR 

P(Loe)  at  5000  Hours  MFR  With  Np=1000  Hrs. 

Triplex  #2  .9997  .9992  .9984  .9928 


58 


ill 

£ 

liiiiiiiliiiiiiiim 
liiiiilKiiiiiiiHII  I 
liiiliiillliliyiiii 
iiiiiillllHIII 


Uil 


flitfiUHItl  I 

illiiliiiKii 

Hi.' 


i tMtt Hffl  •MliStVM  ItNMMMMtHMta  iSiM  MiM  |fS{]  ^ ffatf  itj 

• »ff  B iMM  ■ w ■iitiMiaiiitMi  iMMimi  ifmlhn  MiRIf  tu  mii  ma  ■■•m  fm 

. SKti  !••••  mbSb»»85*8 •■■••••#•«  ••••■MHi  MiiMini  iliai Mail  imm HIm  MiB 

iyi§3ig|iiiii 


;;us» 


lihmi  ifHtaaaiaiai 
••IhHiiihi  ••••aifi 
MMiiiHaaaaffli 

r Maaaaaiai 


aaaati 


niA\ 


•Maaaair 


li 


iiimiiiiH 

iOOl 


liiiiii 


J«  iaiii  i«^38 

itnmintsiti 


tsitcuitii 

ittaatiMUii 


iE 

SKSii 

NMtM 

illMtl 


maiBHHiii 


ra:aqi! 


I m 


til  liij 
III!  Ill 

iiiuiin 


fWWMI  •••••  9tM« 

MMMiHi  aaaia  iaiaa  it 


ilUIII 

Hinii 

HIUll 


mil 

iimiHm 


8I&8I 

XlSSS 


mils 


iMi  sisss  mi:  tu 

illiiinBiinshsHHliiS 

i8i;»na" 




laxititsnsi:; 


iiiiliiiil 


litq 


litiubii  8ii!:Hd  esa<  iltH  Hi 


MIMIMHM  law 
iliiiimii*  laii 

mMIIMMI 

st;i» 


SSBi 


Ejn 


ni 


?6  *?o  ,ao 

rssr  - O-oii  ) 


Figure  9.  P(L  - ) Versus  (1-  a^),  i-  “p  «=  1.0 
Primary  failure  rate  » ,5  x 10-6 


60 


iaaagBBinai«HBass«iBa;i;ffisas;aa 
sns:s8u:s8BaBaiBai:uis8asn 
SSBHBHSKfflBBOnfln 
»SS8SS8|R»liHll^m 

‘ffiSSS. 

UglliNiiiliRglllPSilii^ 


aawiwBMiaBiiBtatHiiBHBMBMHiHBaeawaiaiBaeaaBPi 


■■nilBIEISaBiBMH 


miniiiinmiwii ^ _ 

inn||Hraii»iwaiiiiB^MBHrdaiiH;i»iiinBiBBBBiB8aBURR!BiBH||iirJiiyil 


3 4 6 


» 9 10 

.9999 


3 4 3 6789  10 

. 999 


3 4 3 8789  10 

.5^ 


(/-oLpj 


Figure  10.  P(L  «>  ) Versus  (1-  « p)  ; 1-  “i  = .95 
Primary  actuator  failure  rate  = 0 


61 


r- 

<5- 

Teu  - a/rcKt^F 

Q - CO/^F/<fOJeFT/Of^ 


SOO  40C  lOOO 


S'ooa  /^'c'l,  -A^r 


Figure  1.'^.  P(I'k)  Versus  KT;  1-  i = .95?  1=  «p 
Primary  actua^.or  failure  rate  = 0 


limiilili 


mm 

mm 

iiigi 


i|[i 

lililiiiiilil 


liiitiiil&HHiHili 


liiiiilii 

lilHiii 

lillM 


ililiffllii 

lli 


iHHlLIl 

UliiP 


!i 


liilHIH 
iyilllilliill 


Hliril!! 


iiHSi 


piS 

Ml!  !•  iiTa::: 


HSSHiiS 

lllllHill 


SSS5S  sssss  nzu  stn  un:  nm  nm  | 

*****  *{•**  ***^*{M*  MMi  S5SSS  SSSSS ' 

«g  btrtSSammsa&att:  Shi  »!!!::»»«« 

/'itaml 

iiiliPJliyiliilltiyiipyyiiimasilffillgiilllliilillilii 


1!  -ji:;  il!!i  |!Hi :::!:  :L~:;  !jH:  |silil£ 
»£s::hs:^9llss 

.ji ss»s :::::ssssssss58» 
nHj  :i:::  titu  :2:t3 :::::  ina  ssssssscss  I 

lilOllliyiiliiiiiillllill 


a:  nisi 


ill 


ill! 

nmm 


3^3s!l 


iiiii'ii; 


' iiiiiiuini 

li  |i  Hi  iSiiiltnltiu****''*  


UUnSRilBISlIBBIISISl  HB  CTtH  Klfi  nttl 


ir.sHsn!' eta  a 

mi 

tmsfl 


ir»MNtN*>«» 


finiim 


iiiiytn  i 


Vify. 


„Jf 
1! 
iillgl! 
siSl 


nui 


iyiiigi{{iiiiii!}ijiiHiflBiKRiii8giHi^iiiiiiyiiii{iHiSiiiiiii 

iiijsiffiiHiiiffiigiiHiiimiiiiygigSiPi 

iitgEBHiDlltlRlTOgStn&tlnsKS^ 


igiS!fgii!!| 

ie<>aaiar.| 

xrsRZTsatac:l 


'Bum  II  li 

leilL 


■Uc 

iiiiiiiiiil 

I mil  Ilf  M 

!I!I!I|I{SJ 


iHMaaMaiBaaiaaiiimi  ■■■■■■••••■■tti  ■■■•■■■■■iw 


■■■■■■■  ■■■•I  HHlMBBI  ■■••I  mill 


i::::s::R:KKissB:a8SS8SSBBsiu»>iti8B«MaBxanRu| 


J ■«■■■■■■•  ■•■jiiiiM  ■■■■•  iini  l•lll 

I BBSaa  ■■■■•  iiiiilnil  raiu  hMl  iiiit 
■■■■■  imi  iiin  iHii  iiiji  iiin 


::;:8ssasKs::i»i.'t»3BK»s:i%!se:aHBSssaK:BBiRis»88]8asBSH| 


»SRBS  HniHiiissKRi8i]i8:s::Hss»s:st«8ai«ii:s::iHHi!:!!iSBnB 

iiiiiiiiiiiiii.iiiiifiSSH!K!l!!ll!S:K»^':HHSiiil'i!H»iijS»»RIH!i!IIK8i»K:SS:» 


S ■MSI  III 3 

■ ■■■I  ■■■■I 


a MMaiM  ■■■•«••••< 

■jggSyia  S8r***' 


::::;ssssus:ssss::;ssssssss  »; 

•••t  • *«••<■■■■••  ■••••••«  mm  mm  ■■ 

«■*■■■«•••  tat «« 


SSZ8:58SSSBSSSS 


aBU*  aaaai  MtawaaaaaMiMaMMaaaaC  •■•aa  aat*«  «••••  aaaat 

■■■■■ffittaMi«B«aaaaa«aaBMaBaaai«afMt*tttaS9aBB§iM 

I iaattiaatiMiiaaaaaaMMtt  •MM 

iHMiBaMa  jmrnBmmmMft'.fwr  mrsp.rnd-  itMiB«SaaBaaaaaa9fi«aaaaa  aaaafltitaaaaa 


aSS8iRB| 


§HSiLMIU!Siii3Hs=K=! 


i■iaM«aaaaaiiBat••ltlaaaB■aB■atl••■laiai■aai  bb  M«aaaflipa8B 
laMaavRBaaviiiniHiiaaaBBMaiiitiitaaaaBliBaiSafiffaiaai 

” — ■■■■■■«■■  lifiijiiiiBaBUiiiii  mil  •■■■■■■■  ■■■■■■»■■• 

. _^BS5S  ssss;  ssass  ssss: :::::  $;s  sa  ss  ss  sBisssssaai  iff 

I SSSSiSS«r^'  ‘*aSataa*'  f a.'"'*  ^ ± **^.??  * at  at! 

l8Ssssii8:s»hi|H:isMssK^^ 

MBBBai  aaa  iB^viS' .t*<  ^w0  -rf  „9* 

aBaHkiaaBBBBBa<*i**rB  A-tmmt*-  tt  . 

ai  BiMMBMa»«asBaasMaii  aBaaaaBBM  •■•laBBiMaaaBaaiaBaaflaaaaaaasaa 

.^feSSBSiliSSrfi  ■■ 

|MnBM|ii|ir  ' * 

■ ■■■■■iiiiiili 


■liii 

IBS8B8S:a:88iU8> 


JsssssSissSsssSsHOi 

. . ji  aa  HB  aa  aa  BBiiaaa  aaaa|  iii 
tail  aa  aa  mm  «a  aaSSaa  aaaai 
iiaaaaai 

inriilE:«s 


i ■■  SBSS8 88S88  „«b  be. 

"'““Mffisa 


;ssssiSi:sss»ass::iii::H{ijss8i|Rjinns8nssnBsSSSi»ss::i»y;i|RSB 


ii»B88BnnKiniiB 


«BH8siii»:sti8RisaKiH»i{»«ssRSiUBaiaeunsittH:iuiiiiiiu88a8snBii 


Siisi; 


BanimiR»KaiiiRi8anniiB| 

iSHmniP!;snBH»BB88Biinl 


ssffiBaai«iB»ai;aaa«tiiiaa8K«BaaBeaaB8H»i{ifl«SB«auii«iaHaBMaaaa«BR!a8taaaaaBg 


■■••Ul 


3iiBUBasa::«aiim«aaa»:»aBaaaMaHwaiaaBaBia8B»aiiw 


nHMBMBMRl 


sB8asnRiRi»i'.aia:HniuRi«s8»a»ssBainHHHiuffluiHa:{iii»BiBBiBSiuiiinmBBwiB8nui8iaBR| 

nanasHiiaaflaaiHi 


88Hlin«RH 

Bsa*« 

ill 

liliir 


SB38weaaaaai 

HBasiflUBsaniHi 


iiiiiURiaajmBiaiaBBVBBnaaiHnaBBBiiiBBaBSBBH 

RI9IRilia»B18ffi!HBBRiaBHIIHII18inillHilW 


S 4 6 47lt10 

.9999 


3 4 ft  <>799  10 

. W 


7£ST  coy£e/9(^£  - 


Figure  17.  MFR  Versus  1-  «pj  1-  «i  » .95 
Primary  actuator  failure  rate  =»  .5  x 10“6 


68 


■••■■■■■■■a  ■■■■■■■■■■■ 

laBMaMMsaaawiBawnuaMMHaaascssssssaeBBHaBBaaBBBBaaBBaaBaBaBBBvnl 

iiunH«HHmM«MnnaHH»aea«ses!taaHfiaHmHinHHisHaiMHal 

IliiHliiiiiBiiWSaiitilflSfHliilBiliaill 

■BaaaBaBaBBaaBaaaaaBBaaaiiaaaaaBaBSg5»"....<aaaaaaMaaagaaBagBaBaaBaaBBBaaal 


lBBaaaiWBBBBaBBBaBBf|iiHB8aHBsrt,«aa89SBaBa«BeBBBBBaBBBBaa9aaaaBBaaail 

— iHmniiiniiiii>UMiiiiiiBiiiiiiUHiiiaiiiiiiifiHiiiiiiiiiil 


iWWWHHPgMHIiHiilHii 


mHUHHmiiiHHBmHMl 


iBBBBBaBBBaB' 

— nuMBHi — 


BSaBBBBBBBBBBI 


8SK8  tmmmrZa 

iBBHiMKBr 

llWlKB 


iBaaa-'-gaaaaaBCBBaaaBasBaBBBBBBBaaaBBBBBaaBaBBBl 

iBag'-riBaBBaaaaaaaBBBBaaaaaaBaaBBaaaaaaaBBBaaBBBaBl 

■■TlitBBBHBBBiflBflBBBBBBBBBaBBBBBaBBBIBBUBBBIBBBBBBBl 



iBBBBaaBBaaaBaBBBl 

laaiaaflflBnl 


tabBar.aBBaBaaaBBBaaBaBBaaBBaa'r^aaaaaaaaBaaBaaBBBBjMiaBaaBaaaaBBaBBBaaBl 
|BiBU«HiiHBaaaBmBMBHa*:.daBaBBaBaaBBBMBaBBaaBmnBMBflMBnBiaaa| 

IBnMjr  ‘ 

imiil 


lumusa»’SiR»8s»sus;ss»s»sssss»ssBsssusnu»sss:us88&s| 

I iBiia8BBaBaBaaaBaaaBaaii«w*WHi»w«»MM| 


iBHHiiiiB’i.BBaBaiaaBBBaBflBaaBBi 


I1B1MIBMHB1MBMB»1|H1HIHM1MBWW| 

IHmHHiiimHllliilHHlHiimHiiil 


BBanaBaBBBBaaBBBBaBBaBBaaaaaaaaaBBaaaBBBaaaBBaaaaaB. 

--iMBBaBaaflaaaaflBaaBBaaaBaaaaaBaaBaaBaBMaBaaaBBaaaBBaaaaaBaBBl 
—iBaaMBBMBHBBmBaiaaBBmaBaaaaaHBBUiaaaaaaaaiaBBaBaBl 
nHMBMBWMWWMMBMlWMiliBWMBWBBCTBHBHBBllMl 

»»»»MS8»8ai9SS!::SifgiSS8S88SSS»i8SSSS8S»88S| 

aaafs  ;.0BaaBMmaHHaaaf  aaineiBif  II  huiihuI 


■v'liaaaaBaaaBBaBBBBaaaBBaaBBaBBBaBaaBBaaaaaaBBBaaaaaa 

laBaaaBBBBBBnBBBBBBaBaiataaaaaMBaBBaBBBaaMBBBBBBaaaBaBl 
iiBaBBBBaBBauBaBaaBaBBHiBBaaaBuaBBBaaaaiifaBBaaBBBaaBl 

Miaaa  BBBM  ■■■ii  wwa  mbm  bmm  wait  bbbm  Baaaa  I 



|BaiuiaaBBBBBBBBBBaaaBBaBaan>KaaaBaBaaaaaaaB»a>BBaBaaBaaaBBBa«xaBaaBBBBBal 

lBSuSS8Su8lBBBS8aaaBBiaBaaaBBaBBaaBaaaB»aCM^  ' . p-aaaBBBBBBBBaaBHBa' 


KWHIII 


mini 


SECTION  6 


APPLICATION  TO  THE  680-J  SURVIVABLE  FLIGHT  CONTROL  SYSTEM 
680-J  SURVIVABILITY  AIRPLANE  (F-4) 

1 . Ground  Rules 


The  680-J  Program  incorporated  five  configurations: 

• Present  F-4  System 

• Phase  I:  Simplex 

• Phase  IIA:  FBW  with  Mechanical  Back-Up 

• Phase  IIB:  Same  as  IIA  vrith  Mechanical  Back-Up 

Removed 

• Phase  IIC:  Survivable  Flight  Control  System  With  FBW 

Phases  IIA,  IIB,  and  IIC  are  ouadruplex  configurations, 
with  IIC  representing  the  "ultimate"  in  mission  reliability. 

The  major  difference  between  IIB  and  IIC  is  that  in  IIC  the 
secondary  and  primary  stabilator  actuators  are  combined  into 
a single  package  (called  the  SSAP,  i.e.,  Survivable  Stabilator 
Actuator  Package) . Hydraulic  and  Electrical  power  supplies 
are  the  same  in  both  phases.  As  a point  of  comparison  the 
failure  rate  for  single  point  failures  of  the  SSAP  of  TIC 
is  0.26  X 10“®/hour  whereas  the  correspondina  failure  rate 
for  the  primary  actuator  (stabilator)  of  IIB  is  1.0  x 10”®/ 
hour  (Ref.  3,  Table  V,  page  39).  Because  the  680-J  Program 
never  reached  the  IIC  phase  it  v;as  decided  to  use  the  IIB 
phase  for  the  Applications  Study. 

a.  Phase  IIB 


For  purposes  of  this  study,  we  can  characi  »rize  IIB 
as  follows : 

(1)  Separate  mechanical  trim  actuator 

(2)  One  stabilator  actuator 

(3)  FBW 


71 


I 


(4)  Lateral  and  directional  axes  are  redtindant  in  the 
sense  that  only  one  must  function  in  order  to  return  and  land 
the  airplane  (Ref.  4,  page  27).  Hius,  flight  safety  reliability 
is  determined  primarily  by  the  catastrophic  failure  rate  of  the 
longitudinal  axis. 

(5)  Longitudinal  axis  flight  safety  reliability  only 
is  being  considered. 

(6)  Phase  IIB  is  shown  in  Figure  20,  which  includes 
electrical  and  hydraulic  supplies. 

(7)  Component  Failure  Rates  used  in  the  study  are; 

(a)  Primary  Actuator  = 1.0  x 10"^/hour 


(a)  Primary  Actuator 

(b)  Secondary  Actuator, 
Channel  1 

Secondary  Actuator, 
Channel  2 

Secondary  Actuator, 
Channel 

Secondary  Actuator, 
Channel  4 

(c)  Digital  Computer 


= 188  X 10-6/hour* 

= 278  X 10"®/hour* 

= 301  X 10”^/hour* 

= 188  X 10“6/hour* 

*=  120  X 10"®/hour 


(d)  Normal  Accelerometer  = 8,1  x 10”6/hour 

Pitch  Rate  Gyro  = 3,8  x 10~®/hour 

Stick  Force  Sensor  * 7.8  x 10~6/hour 

All  failure  rates  are  those  of  IIB  except 
that  we  have  substituted  a digital  com- 
puter for  the  IIB  pitch  computer  (failure 
rate  = 25  x 10”®/hour). 

b.  Two  quadruplex  and  two  triplex  configurations  were 
considered: 

(1)  Quadruplex  with  Comparison  Monitoring 

(a)  No  voting,  (b)  Fullv  voted 

(Figures  23  and  24 » respectively) 


♦Includes  Hydraulic  Supplies 
♦•Omitted  in  Triplex 


72 


I 


(2)  Triplex  with  Self-Tested  Channels 


(a)  No  voting,  (b)  Fully  voted 

(Figures  21  and  22 » respcrttively) 


Although  it  does  not  correspond  to  any  680-J  configuration 
it  was  decided  to  duplicate  all  computations  using  a reduced 
stabilator  actuator  failure  rate  of  0.25  x 10”®  per  hour,  Ihe 
resultant  mission  reliability  represents  a realistic  coal 
and  corresponds,  at  least  approximately,  to  vrhat  can  be  attained 
in  Phase  IIC, 


Flight  Safety  Relizdaility  Goals 


Estimates  of  catastrophic  failures  of  the  primary  flight 
control  system  of  the  F-4  airplane  are  summarized  as  follows: 


For  carrier-based  F-4' si 


6.6  X 10“°  failures/hour. 


Estimate  obtained  by  the  Air  Force  for  non-carrier 
F-4*s: 


3.8  X 10**®  failures /hour. 


Calculated  for  standard  F-4's: 


1.145  X 10"®  failures/hour. 


From  these  estimates  we  may  conclude  that  a calculated 
FBVI  F-4  failure  rate  should  not  greatly  exceed 
1,145  X 10”®  failures/flight  hour. 


2.  Results 


Figures  25,  27,  29,  31,  33,  35,  refer  to  the 
680 J,  Phase  IIB  configuration  as  defined  in  Figure  20. 
Figures  26,  28,  30,  32,  34,  and  36  are  the  corresponding 
figures  except  that  the  stabilator  actuator  failure  rate 
has  been  reduced  from  1,0  x 10“®  to  0,25  x 10”®  failures/ 
hour. 


Figures  25,  26.  P(L  «.  ) Versus  (l-aj  );  ?1-gp  ) =*1.0 


These  figures  substantiate  an  earlier  conclusion  that 
probability  of  loss  of  system  is  not  strongly  dependent  on  in- 
flight test  coverage,  at  least  among  the  value.;  selected.  As 
a design  objective,  which  appears  to  be  attainable,  we  will, 
henceforth,  assume  that  inflight  test  coverage  is  .)5X. 


Figures  21,  28. P(L«»)  Versus  (1-°p  );  (1-Qi)  = .95 

These  are  important  figures  because  P(L«)  = MFR  for  any 
airplane  with  a long  service  life.  From  Figure  27,  we  may 
conclude  that  Triplex  (1)  is  unacceptable.  Comparing  Triplex 
(2)  with  Quad  (2)  indicates  that  Quad  (2)  requires  an  order  of 
magnitude  less  in  preflight  test  coverage  e.g.,  99%  in  Quad  (2) 
and  99,9%  in  Triplex  (2)  to  achieve  the  same  P(Loo).  since 
it  will  be  extremely  difficult  to  achieve  a 99.9%  pref light 
test  coverage  (and  to  prove  that  it  has  been  achieved) , Quad 
(2)  is  the  recommended  configuration.  At  this  stage  in  the 
development  of  FBVJ  systems,  we  believe  that  the  additional 
safety  is  well  worth  the  extra  cost  and  complexity  of  the 
quad  configuration. 

Figures  29,  30,  P(L,)  Versus  KT;  (l-cg  ) = .95,  (l-op  ) 

= .999 


These  fioures  show  the  degradation  of  flight  safety 
reliability  vrith  time.  Again,  the  quadruplex  configurations 
^ are  superior. 

, Figures  31,  i2  MFR  Versus  (l-Oj  );  (1-ap  ) = .999 

As  in  Figures  25  and  26,  these  figures  shw  that  inflight 
test  coverage  does  not  stronoly  influence  mean  failure  rate, 
at  least  for  the  coverages  selected. 

Figures  33,  34  MFR  Versus  (1-Qp  );  (1~«i  ) - .95 

i Referring  to  Figure  33,  it  can  be  seen  that  Quad  (1) 

and  Quad  (2)  are  both  acceptable  with  a preflight  coverage  of 
99,9%  and  Ouad  (2)  is  probably  acceptable  with  a coverage  of 
99,0%,  with  the  improved  actuator,  Ouad(2),  with  a coverage 
of  99,9%,  results  in  an  MFR  of  approximately  1.0  x 10”®  failures/ 
hour.  The  Triplex  (2) , on  the  other  hand,  shows  almost  no  im- 
provement between  the  existing  and  improved  actuators  with 
^ a coverage  of  99. OX. 

Figures  35,  36.  MF?  Versus  N„;  (1-“i  ) = ,95, 

= ^ 

These  figures  show  that  even  a relatively  modest  periodic 
test  can  provide  a significant  improvement  in  MFR  for  all 
configurations.  The  dashed  lines  correspond  to  the  MFR  values 
of  the  respective  configurations  with  no  periodic  testing. 


u 


< 


74 


3 


Conclusions 


a.  V7ith  perfect  preflight  test  coverage  and  a relatively 
modest  inflight  test  coverage  both  the  triplex  and  quadruplex 
configurations  yield  acceptable  flight  safety  reliability. 

b.  The  triplex  configuration  tends  to  be  more  sensitive  to 
latent  failures  than  the  quad  configuration.  In  the  triplex, 

a latent  failure  followed  by  a failure  in  another  channel, 
whether  detected  or  not,  could  result  in  loss  of  the  airplane. 

In  the  quad  arrangement  loss  of  the  airplane  requires  two  un- 
detected failures. 

c.  The  triplex  configuration  requires  a preflight  test 
coverage  of  ,999,  or  better,  in  order  to  meet  the  reliability 
goals.  The  quad  configuration  requires  a coverage  between  .99 
and  ,999, 


75 


er<ae  s^MfO' 


Figure  21.  Triplex  configuration 


1 


Figure  25.  680-J  Airplane  IIB  P(L  » ) versus  1-  a -|. 


“ p “ 1.0 


A 


81 


^sassttsssi 


sssBKuassBBtamBsa: 


;»aBB»;&s:nnm&nasns8RSBi8mBH8iS8:e8:RK;a: 


Figure  29.  680-J  Airplane  IIB  P(Lj^)  versuj  KT;  1-  ®i  ■ ,95;  i-  a p > ,999 


83 


/ 


/ - 7?e//»^£?r 


/V/S€  x/O 


/OO  f/  -(«>  J 


Figure  33.  680-J  Airplane  IIB  MFR  versus  1-  a p;  1-  «»i  = .95 


89 


\ 


i«!nBii8iiiinn«HUBiii8BiBaaiiffiiitRnsnr.iii 


iSi! 


iBBBannHi 

BBMBBHBI 


, mrM 
rpami 


aciagaaasBaBiaRjagaassawaazafflaaaaHiaiaBMKiBal 


■»^SB»!in«liHlS88ia«l!ffiSBSS 


EiKSI 


sKia 


1 il  I ] 


IRaMBl 

JSIUBBIPS 

811 


RBRUSIBBI 

mmmm 


iKMmmmmut 

IHINIITOMnBRiBB 

iSBiSBBaBB 


3 4 $ t»  ; 8 9 10 


T£^sr  /oo(/~u^) 


a 4 6 6789  10 

ns  Pi 


Figure  34.  680-J  Airplane  IIB  MFR  versus  1-  « p;  1-  “i  = .95 

Primary  actuator  failure  rate  = .25  x 10"5 


SECTION  7 


DIGITAL  VERSUS  ANALOG  IMPLEMENTATION 


1 . Digital  Computer  Advantages 

The  digital  computer  has  several  potential  advantages  in 
the  redundancy  application; 

a.  It  can  provide  superior  test  co>/erage  and  test 
effectivity  as  compared  with  present  analog  built-in-test 
(BIT) . The  coverage  of  a typical  BIT  ranges  between  85  and  95f 
with  a ratio  of  BIT  hardware  to  total  system  hardware  (by 
volume)  of  about  20X  to  25%,  In  the  DC-10  Autoland  System 
(dual-dual) , for  example,  BIT  hardware  comprises  22%  of  the 
total  system.  Typically,  a digital  computer  self  test  program 
requires  betv;een  500  to  1500  words  of  memory.  In  a triplex 
redundant  configuration  this  would  comprise  between  IX  and 

4J5  of  the  total  computer  (and  I/O)  hardv;are,  respectively. 

b.  It  eliminates  tolerance  accumulation  normally  contri- 
buted by  the  analog  control  computer. 

c.  Can  provide  sophisticated  signal  selection  aloorithms, 
reasonableness  testing  and  performance  monitoring  far  beyond 
what  an  analog  system  can  yield  with  practical  implementation. 

d.  With  serial  intercomputer  links  it  requires  fev/er 
interconnecting  wires  for  cross-channel  comparison  monitorina, 
if  that  form  of  monitoring  is  required. 

e.  Can  be  used  in  a variety  of  hybrid  configurations 
e.g.,  off-line,  digital  outer  loops/analog  inner  loops,  etc. 

2.  Digital  Computer  Disadvantages 

On  the  other  hand  a digital  implementation  has  several 
disadvantages  in  the  redundancy  application: 

a.  Failure  modes  and  effects  tend  to  be  difficult  to 
characterize  and  some  failures  may  be  extremely  difficult  to 
detect  using  only  a software  self  test  progreun.  Failure  de- 
tection coverage  requirements  could  dictate  redundancy  of 
internal  computer  components. 


D.  A digital  computer  implementation  is  susceptible  to 
generic  softv.'are  failures.  These  failures,  being  common  to 
more  than  one  channel,  could  seriously  dearade  flight  safety 
reliability.  Eliminating  or  minimizing  the  probability  of 
this  type  of  failure  requires  riqorous  software  control  and 
extensive  testing  of  the  prototype  system.  Dissimilar  pro- 
orams  or  a dissimilar  back-up  channel  should  be  seriously 
considered  in  a ^RV7  application.  Paradoxically,  the  capability 
to  make  changes  in  the  program  quickly,  with  little  or  no 
impact  on  hardv;are,  could  be  nullified  by  the  degree  of  s'^stem 
testing  that  must  accompany  the  chance. 


94 


g,tf£FSm 


RBCatttMDATIONS  FOR  MIL-F-9490 


1. 

Tile  turr^nfkr  preprvtd  rovi*ion  to  M1L-P-9490D,  dated 
March  1^74,  ^ Boeing  Company , still  lacks  de- 
tailed reqvtirementa  will  ensure  both  the  designer  and 

the  ssar,  s means  ho  hehlove  a redundant  flight  control 
system  of  the  required  safety  and  failure  survivability  for  a 
given  application.  On  the  basis  of  this  study,  the  recommenda- 
tion Is  made  to  include  in  the  next  revision  of  MIL-F-9490 
requirements  for  the  following  control  system  parameters, 

a.  In-flight  monitoring 

b.  Pre-flight  tests 

c.  Periodic  maintenance  tests 

d.  Validation  requirements  for  (a)  - (c) 

Tt  is  also  recommended  that  paragraph  3. 2. 4, 3. 2 be  ex- 
panded with  respect  to  input/output  grov.*th  requirements  as 
detailed  below, 

2,  Test  Reauirements 

The  following  paragraphs  should  be  added  to  paragraph 
3. 1.3. 2 of  MIL-P-4990. 


3. 1.3. 2. 2 Redundancy  Validation 

For  any  flight  critical  mode,  that  is,  any  operational 
configuration  wherein  loss  of  the  flight  control  svstem  can 
reasonably  be  expected  to  lead  to  a degradation  of  the  FCS 
operational  state  below  level  II,  as  defined  in  this  document, 
the  FCS  specification  shall  include  a test  validation  procedure 
and  an  analytical  verification  procedure,  as  appropriate,  for 
the  following  system  parameters ; 

In-flight  monitor  coverage 

i^re-fliqht  test  coverage 

Periodic  maintenance  test  coverage 


9b 


3,1  j.2,3  Redundancy  Configuration 

The  selection  of  the  redundancy  configuration, 
including  levels  of  redundancy  and  voting  techniques,  shall  be 
based  on  meeting  mission  success  and  safety  requirements  and 
shall  be  validated  by  appropriate  analyses, 

3. 1.3. 2. 4 In-flight  Monitor  Coverage 

The  PCS  specification  shall  specify  that  adeguate 
in-flight  and  pre-flight  test  coverage  must  be  demonstrated. 
This  coverage  must  be  consistent  with  the  probability  of 
mission  success  safety  requirements  and  the  selected  system 
configuration.  Failure  rates  to  be  used  in  the  analysis  must 
be  approved  by  the  procuring  agency. 

3. 1.3. 2. 5 Periodic  Maintenance  Testing 

The  PCS  specification  shall  insure  that  periodic 
maintenance  testing  is  accomplished  at  intervals  that  are 
consistent  with  the  required  mission  success  probability. 

The  PCS  specification  shall  develop  criteria  for  the  confidence 
level  required,  in  maintenance  testing. 

In  addition,  the  section  on  digital  implementat.ion 
(paragraph  3. 2. 4.3. 2)  should  be  expanded  to  include  the 
following: 


3. 2. 4. 3. 2. 4 I/O  Capability 

At  the  time  of  acceptance  of  the  first  production 
airplane,  it  is  required  that  the  digital  computer  I/O  section 
contain  a minimum  of  lOJC  of  unused  input  and  output  lines,  to 
take  care  of  additional  requirements  over  the  life  of  the 
production  airplane  without  the  necessity  of  adding  I/O 
hardware. 


96 


SECTION  9 


CONCLUSIONS  AND  RECOMMENDATIONS  FOR  FUTURE  ACTION 


1 . Conclusions 

The  following  conclusions  ave  based  on  the  results  of  the 
study; 


I a.  A master  plan  for  achieving  mission  and  flight  safety 

I reliability  goals  should  be  an  integral  part  of  the  design  and 

synthesis  of  a redundant  fl.laht  control  system.  The  plan  should 
include: 

(1)  A statement  of  mission  and  fliaht  safety  re- 
liability coals.  A commitment  to  a coal  forces  the  designer 
to  view  the  contribution  of  each  component  in  the  perspective 
of  the  whole  svstem  and  leads  to  a practicable  and  fair  alloca- 
tion of  failure  rates.  A criterion  which  considers  only  the 

* electronics  contribution  to  total  reliability  could  lead  to 
unnecessary,  inconsistent  and  costly  refinements. 

(2)  Allocation  of  failure  rates  - Failure  rates  should 
be  allocated  to  all  system  components  based  on  what  is  necessary 
and  v»hat  is  achievable. 

(3)  Statement  of  failure  detection  reouirements  ~ 

The  objectives  of  inflight  and  preflight  failure  detection 

^ should  be  explicit.  They  should  include  the  extent  to  which 

1 inflight  and  preflight  detection  coverage  contributes  to  the 

attainment  of  the  reliability  goals.  Inflioht  and  preflight 
test  coverage  requirements  should  be  allocated  to  all  system 
components . 

* Signal  selection  devices  should  be  identified  and  justified  with 
regard  to  purpose;  i.e.,  cross-strapping,  improved  failure  de- 
tection, common  outputs,  etc. 

(4)  Failure  detection  validation  procedure  - Having 
established  coverage  goals  and  procedures  -'-.o  attain  these  goals 
it  is  necessary  to  validate  the  claimed  coverages.  Numbers  of 
samples,  accuracy  and  confidence  factors  specifications  should 
be  a part  of  the  validation  procedure. 


97 


b.  Pref light  test  coveraoe  is  a critical  oaraj*»eter  of 
flight  safety  reliability.  In  a triolex  configuration  con- 
trolling a flight  criticaJ  mode  the  required  nreflight  test 
coverage  could  exceed  99. 9X.  In  a quadruplex  conf iauration 
the  corresponding  coverage  reauirement  could  exceed  99  55  and 
possible  even  99.9%  depending  upon  inflight  test  strategy fc 
and  its  degradation  in  the  presence  of  undetected  failures. 
Inflight  test  coverage  is  much  less  critical. 

c.  The  potential  increased  flight  safety  indicated  by 
redundant  control  channels  may  renresent  an  insignificant 
impiovement  in  overall  system  reliability  due  to  the  dominance 
of  sinole  point  failures  cr  primary  actuators,  linkages,  etc. 

d.  The  use  of  a dissimilar  backup  channel  in  any  flight 
critical  configuration  should  be  seriously  considered.  Ad- 
vantages of  the  back-up  channel  are: 

(1)  Eliminates  prime  sources  of  common  mode  failures 
such  as  (a)  generic  software  and  (b)  generic  hardvrare  failures 
or  design  defects. 

(2)  If  the  backup  channel  is  designed  ’or  g*t-home- 
and-land  capability  only,  then  it  may  be  relatively  simple  and 
thus  can  have  its  operational  integrity  more  completely  verified 
by  testing  preflight.  Inflight  monitoring  or  testing  of  the 
backup  channel  may  not  be  necessary  for  improved  reliability. 

(3)  A triplex  configuration  augmented  by  a backup 
channel  is  less  susceptible  to  latent  failures  than  a straight 
triplex  or  quadruplex  configuration.  In  a triplex  configura- 
tion a latent  failure  in  one  channel  followed  by  an  inflight 
failure  in  one  of  the  two  good  channels  could  result  in  loss 
of  the  airplane.  In  a quadruplex  configuration,  a latent 
failure  fulloT;ed  by  an  undetected  inflight  failure  of  one  of 
the  remaining  channels  could  result  in  loss  of  the  airplane. 

In  the  triplex-with-backup  configuration  loss  of  the  airplane 
can  occur  only  if  two  of  the  three  triplex  channels  fail,  one 
of  v/hich  ma^'  be  due  to  a latent  failure,  follry*^ed  by  a failure 
of  the  backup  channel. 


98 


e.  The  use  of  time  shared  digital  devices  does  not 
necessarily  provide  greater  failure  detection  ability.  Fault 
diaonosis  of  digital  sequential  devices  can  be  a formidable 
undertaking  in  terms  of  the  number  of  tests  required  in  order 
to  exercise  all  inputs,  states,  transition  paths  and  outputs. 

A self  test  procedure  to  detect  all  failures  through  recognition 
of  all  possible  failure  nodes  appears  to  be  impracticable  since 
the  number  of  inputs  required  is  prohibitive  for  even  the 
simplest  devices.  A possible  alternative  would  be  to: 

(1)  enumerate  the  knoi/n  failure  modes  of  each  device 
and  their  relativj  frequenc''  of  occurrence.  VThile  some  failure 
modes  V7ill  remain  unknown,  it  can  be  presumed  that  the  relative 
frequency  of  the  unknovrn  failure  modes  is  sufficiently  small  to 
nernit  the  attainment  of  the  reouired  coverage. 

(2)  Design  the  test  procedure  to  diagnose  those 
failure  modes  v'hose  total  relative  frequency  exceeds  the 
coverage  required. 

This  alternative  ajjpiroach  requires  a \rery  precise  knwledge 
of  the  failure  modes  of  each  device  and  their  relative  fre- 
guency  of  occurrences,  “rtiis  kncvledge,  ho»/ever,  does  not 
appear  to  exist  for  many  of  the  new  MSI  and  LSI  devices. 

f.  The  benefits  (increased  system  reliability)  .of  cross 
strapping  sensors  should  be  carefully  considered.  ^Ihen  the 
sen.sor  set  is  small  or  highlv  reliable,  compared  to  the  other 
svstem  comnononts , the  benefits  of  cross-strappino  are 
neolirible.  However,  sensor  cross-strappino  can  provide  sig- 
nificant insensitivity  to  a greater  number  of  latent  failures 
narticularlv  v;hen  the  service  life  of  the  aircraft  greatly 
exceeds  5000  hours. 

g.  The  use  of  a separate  trim  system  (or  a separate 
trim  card)  in  the  FRV^  application  should  be  considered.  If 
trim  is  supplied  b\'  the  flight  critical  digital  controller 
tlien  loss  of  the  system  will  result  not  only  in  loss  of  the 
airplane  but  may  also  preclude  a safe  ejection.  Furthermore, 
loss  of  a guadruplex  system  could  result  when  onlv  tv'o  channels 
have  failed.  Without  a separate  trim,  there  may  be  no  time 
available  for  pilot  determination  and  selection  of  one  of  the 
remaining  good  channels. 


99 


h. *  The  use  of  multiplexed  data  links  can  provide  a sio- 
nificant  reduction  in  numbers  of  wires  and  permits  a stand- 
ardization of  interfaces.  Multiplexinq  does  not  appear,  at 
the  preset  time,  to  offer  any  weicrht  advantaae  or  improvement 
in  reliability. 

i.  Cross-strappinq  or  intercomputer  communications  of  any 
kind  are  potential  sources  of  common  mode  failures.  Inter- 
computer data  links  are  particularly  susceptible  because  of 

the  questionable  bufferina  properties  of  normal  dioital  qates. 

, Fhorts  or  even  failures  to  oround  could  propagate  throuqh 

I ) several  levels  of  gates  to  the  memory  or  data  busses,  resulting 

[ in  an  avalanche  of  failures  throughout  the  computer. 

i.  I'^ith  digital  controllers  more  easily  providing  a 
common  input  to  force  summed  actuators,  failure  transients  are 
Dotentially  reducible  to  acceptable  levels.  As  a consequence, 

' inflight  failure  detection  may  not  be  required  for  improved 

reliability  or,  reduction  of  failure  transients  (although  it 
may  be  required  for  other  reasons),  if  required,  may  incorporate 
a large  time  delay. 

2.  Recommendations  for  Future  Action 

I a.  Develop  procedures  and  methods  of  validating  the  self 

test  capabilities  of  airborne  dioital  computers. 

I b.  Information  regarding  failure  modes  and  associated 

failure  rates  should  be  obtained  to  provide  guide  lines  for 
modeling  failed  devices.  Design  and  validation  of  a digital 
^ computer  self  test  procedure  requires  knov’ledae  of  the  failure 

modes  of  digital  devices.  While  the  vast  majority  of  failures 
in  digital  microcircuits  appear  at  the  device  terminals  as 
frozen  (or  "stuck-at")  signals,  a low  probabilitv  type  of 
failure  can  occur  and  can  be  identified  as  "data  dependent" 
failures.  V.’ith  this  class  of  failures,  internal  looic  is 
I*  changed  such  that  the  device  outputs  no  longer  represent  the 

design  logic  response,  i.e.,  for  some  inputs  or  input  sequences, 
the  output  is  wrong  - thus  the  failure  is  "data  dependent". 

These  failures  can  be  particularly  insidious  in  MSI  and  LSI 
where  complex  logic  functions  are  performed. 

Although  these  failures  are  in  the  minority,  when  self- 
test efficiencies  of  99+55  are  required,  they  become  o+  interest. 
Development  of  practical  self-test  and  measurement  of  self-test 
efficiency  requires  that  the  frequency  of  occurrence  of  these 
failures  be  knovm  and  categorized  by  symptom.  Modelino  failed 
devices,  in  a practical  \iav , requires  this  information. 


c.  Develop  procedures  and  methods  of  software  verification 
Such  a procedure  must  exercise  a larae  number  of  internal  states 
and  state  transition  paths.  The  procedure  must  be  capable  of 
practical  implementation  with  a minimum  of  dependence  on  manual 
supervision. 


SECTION  10 


Reproduced  from 
best  availabJe_copy;__5j^ 


REFERENCES 


1.  R.  F. Jipntaoua,  L.  L* , £«U«r,  n.  l.  , 

RE^LIABILlft  AND  REDUNDANCY  STUDY  FOR  ELECTRONIC  FI  IGUT 

-QNTRO^jVmMS,  Honeywell  DocaM&l  'rto:  HTU-FP.  f iHH^yv/e  1 1 


.S3 


1572. 


Rendrldr,  R.  C. , 3a41ey,  A.  J.,  Edinqer,  L.  D. , DESIGN 
CRITERIA  FOR  HIGH- AUTHORITY  QI.06ED»L00P  PRI^IARY  FLIGHT 
C^TROL  Systems,  Teclmical  R^ort  ArFDL-TR-'^'t-78,  Honeyvre  1 1 
Inc..  August,  1972. 

Hooker,  D.  S.,  Kisslinqer,  P.  L.,  Smith,  G.  Snyth,  M.S., 
SURVTVABLE  flight  CONTROL  SYSTEM  INTERIM  REPORT  NO.  1 
STUDIES,  ANALYSES  AND  APPROACH,  Technical  t>eport  AFFDL- 
TR-7K-20,  McDonnell  Douglas  Aircraft  Co.,  May,  1971. 

Amies,  G.  E. , Clark,  C.  Jones,  C.  L.,  Snr/th,  »*.  S., 
SURVTVABLE  FLIGHT  CONTROL  SYSTE**  INTERIM  REPORT  NO.  1 
STUDIES,  ANALYSIS  AND  APPROACH,  Supplement  - 3,  Technical 
Report  AFFDL-TR-71-20 , McDonnell  Douglas  Aircraft  Co. , 

May,  1971. 

Tomlinson,  L.  R. , SST  LONGITUDINAL  CONTROL  SYSTEM  DESIGN 
AND  DESIGN  PROCESSES,  Final  Report  Task  4,  Boeina  Comme r c i a 1 
Airplane  ».'o.,  June,  1973,  Prepared  for  FAA,  Supersonic 
Transport  Jffice,  Washington,  D.  C. 

Tomlinson,  L.  R. , CONTROL  SYSTEM  DESIGN  CONSIDERATIONS 
FOR  A LONGITUDINALLY  UNSTABLE  SUPERSONIC  TRANSPORT, 

Journal  of  Aircraft,  Vol.  10,  No.  10,  October  1973. 

Stengel,  R.  F. , SOME  EFFECTS  OF  BIAS  ERRORS  IN  REDUNDANT 

FLIGHT  CONTROL  SYSM^,  Jourha'l  of  Aircraft.  Vol.  10. 

Mo.  3,  varch  1973. 


Moore,  E.  F.,  GEDANKEN- EXPERIMENTS  ON  SEQUENTIAL  V-ACHTNES 
Automata  Studies,  Annals  of  Mathematics  Sti-iies  No.  34, 
pp.  129-153,  Princeton  University  Press,  Nevr  Jersey,  1956 

Miller,  R.  E.,  SWITCHING  THEORY.  Vol.  II,  John  Wiley  and 
Sons,  Nev'  York,  196^. 

Wood,  P.  E.,  SV7ITCHTNG  THEORY,  McGrax>?-Hill,  1968. 

"Feasibility  Study  for  an  Advanced  Diaital  Flight  Control 
System  (Digiflic)",  Lear  Siegler,  Inc.,  October,  II'T?. 


12.  Digital  Flight  Control  System  Development",  Honeyv^ell, 
Inc.  DecenJjer  1972. 

13.  MIL-F-8785B  (ASG) , "Flyina  Oualities  of  Piloted  Airplanes", 
Auaust,  1969 

14.  Technical  Report  AFFDL-TR-69-72,  "Background  Information 
and  User  Guide  for  MIL-F-8785B  (ASG) , 'Military  Specifi- 
cation-Flying Oualities  of  Piloted  Airplanes'",  Aunust  1969. 

15.  Technical  Note  No.  92,  "Air  Worthiness  Requirements  for 
Automatic  Landing",  Air  Registration  Board  (U.  K,), 

December  1966. 

16.  Kaman  Aircraft  Corporation  Report  G-166,  "Self-Contained 
Electronic  Fliaht  Control  System,  Report  No.  4", 

October  1961. 

17.  Sutton,  M.  L. , Soderlund  G.  M. , "The  Application  of 
Dedicated  Processors  to  Diaital  Ply-By-VJire  Flight  Control 
Systems",  NAE^'OVJ  '73  RECORD,  Apr/l  1973. 

18.  M.IL-F-9490C  (DRAFT),  "Flight  Control  Systems  - Desian, 
Installation  and  Test  of  Piloted  Aircraft,  General 
Specification  For",  March  1974. 

19.  Technical  Report  AFFDL-TR-74- , "Background  Information 

and  User's  Guide  for  MIL-F-9490",  Boeing  Company,  March  1974. 

20.  Federal  Aviation  Regulations,  Vol.  IT,  Part  37,  "Technical 
Standard  Order  Authorizations",  Paragraph  37,119. 

21.  SAE  Proposal  Amendment  to  TSO-C9 , letter  GA-':519,  1972. 

22.  Technical  Report  AFFDL-TR-71-134,  "Validation  of  Flying 
Dualities  Requirements  of  MIL-F-8785B  (ASG)",  Northrop 
Corporation,  September  1971. 

23.  Papoulis,  A.,  "Probability,  Random  Variables,  and 
Stochastic  Pr  '■esses",  McGrav;-Hiil,  Nev?  York,  1965. 

24.  Bonder,  M.  A.  Gaabo,  R.  J, , Smith,  F.  L. , "Dioital  Flight 
Control  Systems  for  Tactical  Fiahters",  Technical  Report 
AFFDL-TR-73-Vol.  II,  Interim  Report,  Honeywell,  Inc., 

July,  1973. 

25.  Fel  er,  VI,,  "Probability  Theory  and  Its  Applications", 

Vol.  I,  Vi ley.  New  York,  1950. 


i 


/ 


103 


APPENDIX  I 


BASELINE  FBW  SYSTEM 


1.  Definition  of  Single  Thread  FBW  System 

In  order  to  preserve  generality  and  insure  the  most 
widespread  applicability  of  the  results  of  this  study  the 
single  thread  FBW  flight  control  system  has  been  configured 
to  include  only  the  direct  control  modes  and  those  required 
to  achieve  desired  handling  qualities  (i.e.,  CAS/SAS  modes). 
Block  diagrams  6 these  basic  modes  are  shown  in  Figures  1-1, 
1-2  and  1-3,  In  practice,  however,  certain  outer-loop  mc-des 
such  as: 

Localizer  and  runway  align 

Glide  slope 

Flare 

Ground  roll-out 

Approach  power  compensation 

Autothrottle 

could  have  surviability  requirements  similar  to  FBW.  For 
completeness,  memory  and  real  time  estimates  for  these  modes 
are  also  included  as  well  as  the  failure  rate  and  typical 
sensors. 

Memory  and  Real  Time  Requirements 

The  memory  and  real  time  required  ior  each  mode  is  indicated 
in  each  figure  and  in  Table  1-1. 


TABLE  1-1 

MEMORY  AND  REAL  TIME  REQUIREMENTS 


Mode 

Words 

Memory  Cycle  1 

Pitch  Axis 

106 

345 

Roll  Axis 

54 

145 

Yaw  Axis 

138 

502 

Speed  Hold 

67 

166 

APC 

73 

195 

Loc  Trk/Align 

141 

410 

Glide  Slope  Track 

165 

435 

Yaw  Damper 

32 

89 

Runway  Align/GR 

79 

207 

Glide  Slope/Flare 

134 

335 

(CT) 


The  Autoland  requirements  are  based  on  the  Autoland  modes  as 
implemented  in  currently  available  equipment,  xt  is  assumed  that: 

• 2 cycle  times  = 1 add  time 

• 1 multiply  = 6 cycle  times  = 3 add  times 

• 1 cycle  time  = 1 microsecond 

• Inputs  and  outputs  are  executed  using  DMA. 

Thus,  A/D  and  D/A  conversion  time  is  excluded 
from  the  estimates. 

Sampling  rates  for  inner  loop  control  are  taken  at  approx- 
imately 40  samples/second  and  at  approximately  10  samples/second 
for  outer  loop  and  autothrottle  control.  Based  on  40  samples/ 
second,  the  total  real  time  required  for  inner  loop  pitch,  roll, 
and  yaw  axis  control  is  39.68  milliseconds,  or  39. 68X  of  real 
time.  The  real  time  requirements  of  the  outer  control  loops 
plus  the  speed  ''ontrol  loops  is  73.48  milliseconds  if  the  same 
sampling  rate  assumed  (a  very  conservative  assumption).  Thus, 
the  total  real  time  requirement  is  of  the  order  of  12X.  However, 
to  this  estimate  must  be  added  the  requirements  for 

• executive  subroutines 

• modal  logic 

• monitoring,  intercomputer  communicution,  and 
signal  selection 

• inflight  and  preflight  test 

• generation  of  annunciation  signals 


105 


107 


FIGURK, 


GLIDE  SLOPE  FLARE 
FIGURE  1-6 


GLIDE  SLOPE  TRACK 
FIGURE  1-7 


/ 


111 


LOCALIZER  TRACK/ ALIGN 
FIGURE  1-8 


YAW  DAMPER 
FIGURE  1-10 


/ 


112 


The  total  effect  of  these  requirements  is  not  expected  to 
increase  the  above  real  time  requirement  by  more  than  SOX.  It 
may  be  concluded  that  the  real  time  requirements  of  digital 
flight  control  systems  are  well  within  the  capabilities  of  pre- 
sent day  digital  computer  technology. 

2.  Failure  Rates  of  Basic  Components 

The  failure  zates  that  have  been  used  for  the  basic  com- 
ponents of  the  system  reflect  currently  available  technology. 
Specific  component  reliability  references  are  listed  where 
appropriate. 

Primary  Actuator;  .2C  x 10“®/hour  or  3.0  x 10"^/hour 

The  lower  of  these  numbers  is  specified  in  reference  3, 
where,  however,  it  refers  to  single  point  failures  in  a four 
actuator  package.  The  higher  of  the  numbers  is  a conservative 
estimate  of  today's  technology.  In  any  event,  while  this  number 
exerts  a dominant  influence  on  the  total  achievable  system  fail- 
ure rate  (see  Section  6 ) , it  enters  the  relative  evaluation  of 

redundant  configurations,  representing  as  it  does  a single  point 
failure,  only  from  the  point  of  view  of  whether  the  relative 
failure  contributions  of  improved  redundancy  management  config- 
urations are  significant  in  the  light  of  this  system  limit. 

Secondary  Actuator;  100  x 10“6/hour 

Actuators  currently  available  suffer  from  relatively 
high  failure  rates.  The  failure  rate  of  100  x 10”®/hour  does 
not  include  loss  of  associated  hydraulics. 

Tables  T-2  and  T-3  list  the  failure  rates  of  other  FBW 
system  components  that  were  used  in  this  program.  Most  of  the 
rates  are  standard  and  have  been  used  in  many  FMEA's  and  certi- 
fication programs.  The  failure  rate  for  the  digital  computer  is 
believed  to  be  applicable  for  the  1975-6  time  period. 


113 


TABLE  1-2 


FBW  PFCS 

I/O  SIGNAL  CHARACTERISTICS 


Sensed  Signal 

Range 

Form 

Failure 
Rate  Per 
10®  Hours 

Pitch  Stick  Force 

± 10  lbs. 

26  VAC  400  Hz 

5 

Roll  Stick  Force 

± 10  lbs. 

26  VAC  400  Hz 

5 

Pedal  Force 

+ 10  lbs. 

26  VAC  400  HZ 

5 

Pitch  Rate 

± 60°/sec. 

26  VAC  400  HZ 

25 

Roll  Rate 

± 300°/sec. 

26  VAC  400  Hz 

25 

Yaw  Rate 

± 60°/sec. 

26  VAC  400  Hz 

25 

Normal  Acceleration 

± 10  g 

♦ 10  vdc 

20 

Lateral  Acceleration 

± 1 g 

± 10  vdc 

20 

Longitudinal  Accel- 

± 1 g 

± 10  vdc 

20 

eration 

Angle  of  Attack 

± 50° 

26  VAC  400  Hz 

Pitch  Attitude 

± 60° 

3 Wire  Synchro 

100 

Roll  Attitude 

± 360° 

3 Wire  Synchro 

100 

Elevator  Servo  Pos- 

± 20° 

26  VAC  400  Hz 

3 

ition  LVDT 

Aileron  Servo  Pos- 

± 30° 

26  VAC  400  Hz 

3 

ition  LVDT 

Rudder  Servo  Pos- 

± 30° 

26  VAC  400  Hz 

3 

ition  LVDT 

Throttle  Position 

— 

26  VAC  400  Hz 

3 

LVDT 

Dynamic  Pressure 

1800  Ib./ft.-^ 

Serial  Binary 

20 

Auxiliary  (Secondary) 

Actuator 
CPU  + 8 K Core 
P/S  for  CPU,  8K 

100 

70 

30 

Core,  I/O 

Basic  I/O  + I/O 

20 

Control 

Power  Actuator  (in- 
cludes control 

linkages) 

.25  ^ 3.0 

TABLE  1-3 


AUTOLAND  SYSTEM 
I/O  SIGNAL  CHARACTERISTICS 


Failure 
Rate  Per 

Sensed  Signal 

Range 

Form 

10®  Hours 

Pitch  Attitude  Gyro 

± 60® 

26 

VAC  400 

Hz 

i27 

Glide  Slope  Receiver 

± 3® 

± 

10  vdc 

65 

Radio  Altimeter 

0-2500* 

± 

10  vdc 

176 

Roll  Attitude  Gyro 

± 360® 

26 

VAC  400 

Hz 

127 

Normal  Accelerometer 

1 10  g 

1 

10  vdc 

20 

Yaw  Rate  Gyro 

± 40®/sec. 

26 

VAC  400 

Hz 

50 

Preset  Course 

0 — 360®  » 

3 

Wire  Synchro 

100 

Localizer  Receiver 

± 5® 

± 

10  vdc 

58 

CADC 

0 - 100  K h 
100  - 1500  kts 

± 

10  vdc 

352 

Wheel  Spin  Up 

— 

8 

S3a  Throttle  Servo 

— 

27 

Electrical  Power 

— 

— 

System 

AC  Bus 

— 

— 

300 

DC  Bus 

8 

11b 


APPENDIX  II 


Failure  Performance  Reciuirements 


Existxnq  Sources  of  Failure  Performance  Re.fuirements 


Failur#^  in  a fliqht  control  system  may  be  defined  as  any 
event  inte  nal  to  the  system  that,  if  not  compensated  for, 
would  Jead  to  an  unacceptable  performance  change  in  the  air- 
craft. There  does  not  appear  to  be  any  official  document, 
issued  by  a cognizant  U.  S.  military  or  civil  agency,  v;hich 
defines,  in  a comprehensive  manner,  flight  control  system 
performance  in  the  event  of  failures*.  One  reason  for  this  is, 
no  doubt,  that  "acceptable  performance"  depends  on  the  appli- 
cation and  detailed  specifications  are  therefore  best  left  to 
procurement  specifications.  Some  aspects  of  failtire  performance 
are,  however,  discussed  in  MIL-F-8785B  (ASG) , FAA  Advisory 
Circulars,  and  Air  Registration  Board  (UK)  Technical  Notes. 
Pertinent  comments  from  these  sources  are  as  follows: 

a.  MIL-F-8785B  (ASG) 

Paragraph  3,1.10.1,  Requirements  for  Airplane  Normal  States 


The  minimum  required  flying  qualities  for  airplane  norma 
states  are; 


VJithin  Operational 
Fliqht  Envelope 


Within  Service 
Fliqht  Envel 


Level  1 


Level  2 


Levels  for  Airplane  Failure  States 


Probability  of 
Encountering 


Within  Operational 
Flight  Envelope 


Within  Service 
Flight  Envelope 


♦This  statement  was  made  before  the  publication  of  tlie  draft 
of  MIL-F-9490D,  Ma’-.n  1974. 


116 


"After  failure"  means  "after  the  occurrence  of  one  or  more 
failures"  during  the  longest  operational  mission  time  considered 
by  the  contractor  designing  the  airplane.  Failures  are  due  to 
all  causes  including  flight  control  system  failures. 

Paragraph  3.5,5, ^ Failure  Transients 

With  controls  free,  the  airplane  motions  due  to  failures  de- 
scribed in  paragraph  3.5.5  shall  not  exceed  the  follov’ing 
limits  for  at  least  2 seconds  following  the  failure,  as  a 
function  of  the  level  of  flying  aualities  after  the  failure 
transient  has  subsided; 


Level  1 

(after 

failure) 


±0.05  g normal  or  lateral  acceleration  at  the 
pilot's  station  and  ±1  degree  per  second  in 
roll 


Level  2 

(after 

failure) 


±0,5  g at  the  pilot's  station,  ±5  degrees  per 
second  roll  and  the  lesser  of  ±5  degrees  side- 
slip or  the  structural  limits 


Levels 

(after 

failure) 


Mo  dangerous  attitude  or  structural  limit  is 
reached,  and  no  danaerous  alteration  of  the 
flight  path  results  from  which  recovery  is 
impossible. 


Paragraph  3. 5, 5. 2 Trim  Changes  due  to  Failures 

The  control  forces  required  to  maintain  attitude  and  zero  side- 
slip for  the  failures  described  in  paragraph  3.5.5  shall  not 
exceed  the  following  limits  for  at  least  5 seconds  following 
the  failure; 


Elevator  - 20  pounds 

Aileron  - 10  pounds 

Rudder  - 50  pounds 

Paragraph  3,5.i  Transfer  to  Alternate  Control  Modes 

The  transient  motions  and  trim  changes  resulting  from  the 
intentional  engagement  or  disengagement  of  any  portion  of  the 
primary  flight  control  system  by  the  pilot  shall  be  small  and 
gradual  enough  that  dangerous  flying  qualities  never  result. 


i 


117 


/ 


Paragraph  3.5.6. 1 Transients 


With  controls  free,  the  transients  resulting  from  the  situations 
described  in  3.5.6  shall  not  exceed  the  following  limits  for  at 
least  2 seconds  follov;ing  the  transfer: 


Within  the  Operational  ±0.05  a normal  or  lateial  acceler 
Flight  Envelope  ation  at  the  pilot's  station  and 

±1  degree  per  second  roll 


Within  the  Service 
Fliaht  Envelope 


±0.5  g at  the  pilot's  station,  ±5 
degrees  per  second  roll,  and  the 
lesser  of  ±5  decrees  sideslip  or 
the  structural  limit 


These  requirements  appl'/  only  for  Airplane  Normal  States. 


Paragraph  3. 5.6. 2 Trim  Changes 


T!ie  control  Forces  required  to  maintain  attitude  and  zero 
sideslip  For  the  situations  described  in  paraaraph  3.5.6  shall 
not  exceed  t]ie  FoUowina  limits  for  at  least  5 seconds  follov’inc 
the  cransfer; 


Elevator 

Aileron 

'’udder 


20  pounds 
1 0 pounds 
50  pounds 


These  requirements  apply  only  for  Airplane  Normal  States. 


Paragraph  3.6  Characteris Lies  of  Secondary  Control  E^'stems 


Paragraph  3.6.1  Trim  S'/stem 

Tn  straight  flight,  thr  .ughout  the  Operational  Flight  Envelope 
the  trimming  devices  shall  be  capable  of  reducing  the  elevator, 
rudder,  and  aileron  control  forces  to  zero  for  Levels  1 and  2. 
For  Level  3,  the  untrimmed  cockpit  control  Forces  shall  not 
exceed  10  pounds  elevator,  5 pounds  aileron,  and  20  pounds 
rudder.  The  failures  to  be  considered  in  applying  the  Level  2 
and  3 reauiraments  shall  include  trim  sticking  and  runawav  in 
either  direction.  It  is  permissible  to  meet  the  Level  2 and 
3 requirements  by  providing  the  pilot  with  alternate  trim 
mechanisms  or  override  capability.  Additional  requirements 
on  trim  rate  and  authority  are  contained  in  MIL-F-9490  and 
MIL-F-18372. 


118 


It  should  be  noted  that  3,1.10,2  also  qnocified  that  no  (sinrle) 
failure  state'  shall  degrade  any  flvinn  quality  outside  of  the 
Level  3 limit.  It  should  also  be  noted  that,  for  Level  3,  un- 
trimned  cocknit  control  forces  should  not  exceed  10  pounds  for 
elevator,  5 pounds  for  aileron  and  20  pounds  for  the  rudder. 

In  reference  22,  it  is  indicated  that  an  P5  reauires  48  oounds 
elevator,  8 pounds  aileron  and  19  pounds  rudder  in  order  to 
compensate  for  hardover  trim.  Tlius,  in  order  to  insure  com- 
pliance 'vith  this  specification,  trim  is  assumed  to  be  re- 
quired in  order  to  maintain  Level  3 flyinq  qualities. 


b.  Air  Registration  Board  Technical  Note  No.  92 

The  document  states  that  the  present  ^atal  manual 
landina  accident  rate  is  about  1.0  x 10“^  accidents  per  landing 
for  transport  aircraft  and  suagests  that  the  total  fatal  landing 
accident  rate  (belovr  200  ft.  and  1/2  mile  ranee)  should  not 
exceed  1.0  x 10“^  accidents  per  automatic  landing.  The  docu- 
ment also  suggests  that  the  automatic  landing  abort  rate  should 
not  exceed  1 abort  in  20  committed  landings,  ;^ccordino  to 
this  document  an  abort  is  the  termination  of  autoland  from 
the  time  that  the  aircraft  has  been  accented  for  approach.  A 
more  severe  criterion  is  the  requirement  that  autoland  be 
functional  following  a 2 hour  en  route  fliaht.  For  the  DC- 10 
autoland  system,  it  is  required  (by  the  aircraft  manufacturer) 
that  the  probability  of  a failure  occurring  during  a 2 hour 
en  route  flight  v/hich  \7ould  reduce  the  functional  capability 
of  autoland  upon  engagement  should  be  less  than  1/200. 


c.  Federal  Aviation  Regulations,  Vol.  II,  Part  37 
Paragraph  37.119 

d.  TSO-C9c  Paragraph  4.6 

"The  automatic  pilot  desian  shall  be  such  that,  should 
a single  failure  (except  gyro  mechanical  failures)  occur  in  the 
system,  no  signal  shall  result  which  would  apply  to  the  air- 
craft maximum  servo  control  forces  as  determined  in  Faranraph 
4.5.2,  in  more  than  one  primary  and  trim  aerodynamic  axis." 

In  Reference  21  the  following  revision  is  suogested; 

"The  system  desion  must  be  such  as  to  avoid  multiaxis  hard- 
overs.  If  multiaxis  hardovers  can  result  from  a sinole  failure, 
the  resultant  aircraft  response  must  be  controllable  by  the 
pilot. " 


119 


e.  The  following  paraorraphs  have  been  extracted  from 
MIL~F-9490D  (DR/^T) 

1.0  SCOPE  AND  CLASSIFICATION 


1.1  Scope.  This  specification  establishes 

general  performance,  design,  development  and  auality  assurance 
reauirements  for  tlie  flight  control  systems  of  USAF  manned 
piloted  aircraft.  Flight  control  systems  (PCS)  include  all 
components  used  to  transmit  flight  control  commands  from  the 
pilot  or  other  sources  to  appropriate  force  and  moment  pro- 
ducers. Flight  control  commands  may  result  in  control  of  air- 
craft attitude,  airspeed,  flight  path,  aerodynamic  config- 
uration, ride,  and  structural  modes,  ^jnong  components  included 
are  the  ni lot's  controls,  dedicated  displays  and  loaic  switch- 
ing, system  dynamic  and  air  data  sensors,  signal  computation, 
test  devices,  transmission  devices,  actuators,  and  signal 
transmission  lines  dedicated  to  flight  control.  Excluded  are 
aerodynamic  surfaces,  engines,  helicopter  rotors,  fire  control 
devices,  crew  displays  and  electronics  not  dedicated  to  fliaht 
control. 


1 . 2 Classification 

1.2.1  Flight  Control  System  (FCS)  Classifications 

1.2. 1.1  Manual  Flight  Control  Systems  p<FCS) . 

Combinations  of  electrical,  mechanical  and  Kydraulic  components 
which  transmit  pilot  control  commands  and/or  Generate  and 
convey  commands  which  augment  pilot  control  commands,  and 
thereby  accomplish  flight  control  functions  are  classified 
Manual  Flight  Control  Systems.  This  clas‘;ification  includes 
the  longitudinal,  lateral-directional,  lift,  drag  and  variable 
geonetrv  control  systems  and  tljeir  associated  stability 
augmentation,  command  augmentation,  and  performance  limiting 
and  control  devices, 

1.2. 1.2  Automatic  Flight  Control  Systems  (AFCF) . 
Combinations  of  electrical,  mechanical  and  hydraulic  components 
which  oenerate  and  transmit  automatic  control  commands  which 
provide  pilot  assistance  through  automatic  or  semiautomatic 
flicrht  path  control,  or  which  automatically  control  airframe 
response  to  disturbances  are  classified  Automatic  Flioht  Con- 
trol Rvstems.  This  classification  includes  automatic  pilots, 
stick  or  wheel  steering,  autothrottles  and  structural  mode 
control. 


( 


120 


1,2.2  FC^  Operational  Ptate  Classifications 

1.2.2. 1 Operational  State  I (Normal  Operations) . 

The  normal  state  of  flight  control  system  performance,  safety 
and  reliability  achieved.  This  state  satisfies  MIL-F-8785  or 
MIL-F-83300  Level  1 flying  qualities  renuirements, 

1.2. 2. 2 Operational  Ftate  IT  (Restricted  Operation) . 
The  state  of  less  than  normal  enuipment  operation  or  performance 
v;hich  involves  degradation  or  failure  of  only  a noncritical 
portion  of  the  overall  Flight  Control  System.  A moderate  in- 
crease in  crew  workload  and  dearadation  in  mission  effectivenf  s*5 
may  result  from  restricted  choice  of  normally  operatino  ^CS 
nodes  available  for  use;  hov»ever#  the  intended  mission  may 

be  accomplished.  This  state  satisfies  at  least  mil-F-8785  or 
MIL-F-83300  Level  2 flying  qualities  requirements, 

1.2. 2. 3 Operational  State  III  (f^inimum  Safe 
Operation) . A state  of  degraded  flight  control  system perform- 
ance,  safety  or  reliability  vrhich  permits  safe  termination  of 
precision  tracking  or  maneuverino  tasks,  and  safe  cruise,  descent, 
and  landina  at  the  destination  of  original  intent  or  alternate 
but  where  pilot  workload  is  excessi/e  and/or  mission  effective- 
ness is  inadequate.  Phases  of  the  intended  mission  involving 
precision  tracking  or  maneuvering  cannot  be  completed  satis- 
factorily. This  state  satisfies  at  least  MTL-P-8785  or  MIL-F- 
83300  Level  3 flyina  nualities  requirements. 

1.2. 2. 4 Operatic nal  State  IV  (Controllable  to  an 
Immediate  Emergency  Landina) ^ The  state  of  denraded  FCR 
operation  at  which  continued  safe  flight  is  not  possible; 
however,  sufficient  control  remains  to  allo'-’  engine  restart 
attempt (s),  a controlled  descent  and  immediate  emergency 
landing. 


1.2. 2, 5  (^erational  State  (Controllable  to  an 
Evacuable  Flight  Condition) . The  state  of  denraded  TCP  operation 
at  which  the  FC51  capability  is  limited  to  maneuvers  required 
to  reach  a flight  condition  at  which  crev;  evacuation  may  be 
safely  accomplished. 


1,2.3  res  Criticality  Classification 

1.2.3.  I Essential,  A function  is  essential  if  loss 
of  the  function  results  in  an  unsafe  condition  and  inability  to 
maintain  FCS  Operational  State  IIT. 


i 


/ 


121 


1.2. 3. 2 Flight  Phase  Essential.  A function  is 
flight  phase  essential  It  loss  oi?  the  f^unction  results  in  an 
unsafe  condition  and  inability  to  maintain  PCS  Operational 
State  III  only  during  specific  flight-  phases. 

1.2. 3. 3 Noncritical.  A function  is  noncritical 

if  loss  of  the  function  does  not  affect  flight  safety  or  result 
in  control  capability  below  that  required  for  PCS  Operational 
State  III. 


Classes . Airplane  classes  are  defined  using  the 
MIL-F-8785  definitions  for  the  folla'?ing  classes. 

Class  I Small,  light  airplanes  such  as 

Light  utility 
Primary  trainer 
Light  observation 


Class  II  r’edium  weight,  low-to-medium 

maneuverability  airplanes  such 
as 

Heavy  utility/search  and 
rescue 

Light  or  medium  transport/ 

cargo/tankcr 

Early  v’arnina/electronic 

countermeasures /ai rborne 

command,  control,  or 

communications  relay 

Antistibmarine 

Assault  transnort 

Peconnaissance 

Tactical  bomber 

Heavy  attack 

Trainer  for  Class  II 

Class  III  Large,  heavy,  lo\/-to-medium 

maneuverability  airplanes  such 
as 

Heavy  transport/cargo/ 
tanker 

Hea’/y  bomber 

Patrol/early  warning/electronic 
coun termea  sures /a i rborne 
command,  control,  or 
communications  relay 
Trainer  for  Class  ITT 


122 


Class  IV 


► 


High-maneuverability  airplanes  such 
as 

Fiqh ter/interceptor 
Attack 

Tactical  reconnaissance 
Observation 
Trainer  for  Class  IV 

Uhere  MIL-r-83300  applies,  the  correspondinc  MIL-F- 
83300,  Class  I,  II  or  ITI  or  TV  applies. 

3.1.3.10  All  Weather  Landing  Performance  Standards . 
"The  lateral-directional  control  system's  performance  shall  be 
such  that  aircraft  lateral  velocities  normal  to  the  runv;av 
centerline  shall  not  cause  a maximum  aircraft  lateral  displace- 
ment greater  than  75  ft.  as  measured  to  either  side  of  the 
runv’ay  centerline  from  the  outermost  main  landinq  near  of  the 
aircraft  more  often  tlian  1 in  10°  landinas." 

3. 1.3.2  Failure  Immunity  and  Safety.  Within  the 
permissible  flight  envelope,  no  single  failure  or  failure  com- 
bination in  the  FCF,  which  is  not  extrenelv  remote,  shall  result 
in  anv  of  the  follo’.rinn  before  a pilot  or  safetv  device  can  re- 
act. For  this  specification,  extremely  remote  (6.6)  is  defined 
as  numericallv  eoual  to  the  maximum  aircraft  loss  rate  due  to 
r<_iovent  FCF  material  failures  specified  in  3.1.7. 

a.  Flutter,  divergence,  or  other  aero- 
elastic  instabilities  within  the 
permissible  flinht  envelope  of  the 
aircraft,  or  a structural  dampinr 
coefficient  for  any  critical  flutter 
mode  below  the  fail-safe  stabilit’' 
limit  of  VTL-F-8870. 

b.  Uncontrollable  motions  of  the  air- 
craft ’-'ithin  its  pernissiMe  ^licht 
envelope,  or  maneuvers  which  oenoratt 
limit  airframe  loads. 

c.  Inability  to  safel"'  land  the  aircraft. 

d.  Any  asymmetric,  uns”nchrnni7.ed,  unusual 
operation  or  lack  o^  operation  o^  flinht 
controls  that  produces  operation  be- 
low FC.h  Operational  ntate  JIT. 


123 


3. 1.3. 3. 4 Failure  Transients.  Aircraft  notions 

following  sudden  airplane  system  or  component  failures  shall  be 
such  that  dangerous  conditions  can  be  avoided  by  pilot  corrective 
action.  Transients  due  to  failures  resulting  in  FC51  Operational 
States  I or  II  within  a redundant  PCS  shall  not  exceed  0.5g 
incremental  normal  or  lateral  acceleration  at  the  center-of- 
gravity  or  ±10°/sec  roll  rate.  Transients  due  to  Failures 
within  the  FCS  resulting  in  FCS  Ooerational  State  III  shall 
not  exceed  75JE  of  limit  load  factor  or  I.Sg's,  v;hichever  is  less, 
at  the  most  severe  flight  condition. 

3. 1.3. 9 System  Test  and  Monitoring  Provisions. 

Test  and  monitoring  means  shall  be  incoroorated  into  the 
» essential  and  flight  phase  essential  FCS  as  reouired  to  reet 

the  mission  reliability  requirements  of  3.1.6,  and  the  I:light 
safetv  requirements  of  3.1.7  and  fault  isolation  . v.wairements 
of  3.1.10.2. 

3. 1.3.9. 1 System  Test  and  Monitoring  Analysis. 

The  effect  of  undetected  FCS.  failures  taken  with  the  probability 
of  occurrence  of  such  failures  shall  complv  v»ith  the  system 
reliabilitv  and  safety  requirements.  The  analysis  verifving 
this  requirement  shall  include  all  failures,  both  active  and 
latent,  and  failures  in  all  components  of  the  system,  including 
mechanical,  electrical  and  hydraulic  conoonents. 

3. 1.3. 9. 2 Bui It- In-Test  Equipment  (BIT) . The 
total  maintenance  aid  testing  including  BIT,  and  inflight 
monitoring  shall  provide  an  integrated  means  of  fault  isolation 
to  the  LRU  level  with  a confidence  factor  of  90J{.  BIT  function 
shall  have  multiple  provisions  to  ensure  they  cannot  be  enaaged 
in  flight. 

3.1. 3.9.2. 1 Preflight  or  Pre-enaa^e  BIT,  Preflight 
or  pre-engaoe  BIT  may  be  automatic  or  pilot-initiated,  and 
includes  any  test  sequence  normally  conducted  prior  to  take- 
off or  prior  to  enaagement  of  a control  to  provide  assurance  of 
suljsequent  system  safety  and  operability.  Hie  preflinht  tests 

' shall  not  rely  on  special  ground  test  equipment  for  their 

successful  completion.  Any  test  sequence  which  could  disturb 
the  normal  activity  of  the  aircraft  in  a given  mode  shaxl  he 
inhibited  when  that  mode  is  engaged. 

3. 1.3. 9. 2. 2 ^Maintenance  BIT.  BIT  shall  also  be 
provided  as  a nostflioht  maintenance  aid  for  the  FCS.  BIT 
shall  be  designed  to  avoid  duplicating  test  features  included 
as  part  of  the  preflight  test  or  monitoring  functions. 

i 


/. 


124 


3. 1.3. 9. 3 Inflight  Monitoring.  Continuous  itioni 

toring  of  equipment  performance  and/or  cirtical  flight  condi- 
tions shall  be  provided.  The  monitoring  shall,  as  a minimum, 
be  active  during  ‘essential  or  flight  phase  essential  modes  of 
operation.  An  analysis  shall  be  provided  showing  that  false 
monitor  warnings,  including  the  automatic  or  normal  pilot  re- 
sponse thereto,  will  not  constitute  a specific  hazard  in  ex- 
cess of  the  system  reliability  requirements. 

3.1.6  Mission  Accomplishment  Peliahility. 

The  probeJDility  of  mission  failure  per  flight  due  to  relevant 
material  failures  in  the  flight  control  system  shall  not  ex- 
ceed either  a.  or  b.  specified  belov».  Failures  in  poorer  supplies 
or  other  subsystems  that  do  not  otherv/ise  cause  mission  failure 
shall  be  included  where  pertinent.  A representative  mission  to 
which  this  requirement  applies  shall  be  established  and 
defined  in  the  FCS  Specification  (4.4.2). 


a.  T’here  overall  A/C  mission  accomplishment  relia- 

bility is  specified  bv  the  procurement 
activity,  < (1 . R„)  AjKfe) 

b.  rvhere  overall  A/C  mission  acconnlishment 

reliability  is  not  specified,  < 1 x 10*^, 

Oj^/f  . = Maximum  acceptable  mission  unreliability 

' ‘ due  to  relevant  FCS  material  failures 

= Specified  overall  aircraft  mission 
accomplishment  reliability 

Aj,j(fcs)  = Mission  accomplishment  allocation 
factor  for  fliaht  control. 

3.1.7  Quantitative  Flight  Safety  The 

probability  of  aircraft  loss  per  flight  due  to  relevant  material 
failures  in  the  flight  control  .-'ystem  shall  not  exceed: 

Qs(fcs)  ^ As(fcs) 

where:  ^S(fcs)  “ Maximum  acceptalole  aircraft  loss  rate 

due  to  relevant  FCS  material  failures. 


Flight  safety  allocation  factor 
for  flight  control. 


A 

F (fcs) 

= Overall  A.ircraft  Flight  Safety 
‘ Pequirement  as  specified  by  the 

procuring  activity. 

Failures  in  pov'ar  supplies  or  other  subsystems  that  do  . ot 
othcn/ise  cause  aircraft  loss  shall  be  included  where  pertinent. 

representative  mission  to  vrhich  this  requirement  applies  shall 
bo  established  and  defined  in  the  FCS  Specification  (4.4.2). 

If  overall  aircraft  flight  safety  in  terns  of  Rg  is  not  specified 
by  the  procuring  activity,  the  numerical  requirements  of 
Table  III  apply. 


TAPLE  III 

FCF  ouAMTTTATIVr  FLIOUT  F7'FFTY  P,EOI?IREMENTF 


liAXIMUM.  AIRCRAFT 
LOFREF  PEP  FLIGHT 


OVERALL  A/C 

MIL-^-8785 

"^F(fcs) 

SylO""^ 

FLIGHT  FAFETV 
REOUIRFMENT 

CLA;FF  IIT-AIRCPJ\FT 

IJOT  SPECIFIED 
PY  PROCURING 
ACTIVITY 

ALL  ROTARY  t'TNG 
AIRCPJVFT 

^F(^cs) 

25x10  ' 

_ 7 

MIL-F-8785  GI^-FF  T, 
IT  6 IV  AIRCRAFT 

^P(<=cs) 

100x10 

3. 1.7.1  Reliability  ~ All  Weather  Landing 

Fystem.  The  average  hazard  due  to  the  use  of  the  all  v?eather 
landing  svstem  shall  be  less  than  the  risk  allowed  in  the  con- 
tractor's reliability  budget  for  the  all  ’A’eather  landing  system. 
To  meet  the  reouirements  of  3.1.7,  the  contractor  shall  allocate 
the  FCS  reliability  budget  amona  AULF  and  other  FCS.  The 
specific  risk  of  a hazard  due  to  use  of  the  landing  system 
under  an  environmental  limit  or  operational  restriction  shall 
not  increase  the  allowed  risk  by  a factor  of  more  than  thirty. 
These  analyses  shall  provide  the  basis  for  establishing  an 
alert  heinht  at  an  altitude  such  that,  v;ith  all  systems  opera- 
tive at  the  alert  height,  the  nrobability  of  a hazard  occurring 
durinn  the  landino  is  extremely  remote. 


126 


3.1.7. 1.1  Assessnent  of  Average  Risk  of  a Hazard. 

The  averaae  risk  of  a hazard  due  to  use  tfte  all  weather 
landinn  system  shall  bo  established  by  a statistical  analysis 
\'hich  includes: 


a.  A system  failure  analysis  shov;inrr 
the  effect  of  a failure  or  com- 
bination of  failures  on  system 
performance  and  the  probability 
of  their  occurrence. 

b.  Failure  analyses  sho\’ino  the  effect 
of  failure  or  a combination  of 
failures  in  systems  operatino 
concurrcntlv  vith  the  all  v;oather 
landino  AFCS  on  aircraft  per- 
formance and  the  probability  of 
their  occurrence. 

c.  The  probability  of  the  system  not 
nerforminp  «'ithin  the  reouired 
levels  defined  in  3.1.2.10  taken 

in  conjunction  v/ith  the  probability 
that  exceedance  oF  those  perform- 
ance levels  v;ill  result  in  a 
hazard. 

3.1.&  Survivability.  FCS  Operational  State 

IV  or  State  V shall  be  provided  as  required  bv  the  nrocurino 
activity. 


3. 1.9.4  Invulnerability  to  Onboard  Failures  of 

Other  Systems  and/or  Equipment 

a.  Flight  control  systems  shall  re- 
tain FCS  capability  at  Operation- 
al State  III  (minimum  safe)  or 
better  after  sustaining  the  follov;- 
ing  failures: 

(1)  Failtre  of  one  engine  in  a 
two-engine  airplane. 

(2)  Failure  of  two  engines  in 
three-engine  and  four-or- 
more-engine  airplanes. 


127 


1 


(3)  Failure  of  any  single  equip- 
ment item  or  structural  mem- 
ber which,  in  itself,  dees 
not  cause  degradation  below 
State  III,  This  includes 
any  plausible  sinole  failure 
of  any  onboard  electrical  or 
electronic  equipment, 

b,  Flioht  control  systems,  including 
the  associated  structure  and  pov»er 
supplies  on  Class  III  aircraft, 
shall  be  designed  so  that  the 
nrobability  of  losina  the  capa- 
bility of  maintainino  PCS  opera- 
tion to  at  least  State  IV  as  a 
result  of  an  engine  or  other  rotor 
burst  is  extremely  remote. 


c.  Flight  control  systems,  including 

^ the  associated  structure  and  pw-7er 

supplies  on  Class  I,  II  6 air- 
craft, shall  be  designed  so  that 
the  nrobability  of  degrading  FCS 
operation  below  State  as  a re- 
sult of  an  engine  or  other  rotor 

I burst  is  extremely  remote, 

3.1.10.2  Malfunction  Detection  and  Fault 

‘ Isolation  Provisions,  Means  nroviding  a high  probability  for 

detecting  failures  and  monitoring  critical  performance  condi- 
tions as  required  to  isolate  faults  to  the  LRU  level  shall  be 
incorporated  in  all  flight  control  electrical  and  electronic 
systems  required  to  perform  essential  and/or  flight-phase- 
essential  functions.  These  means  mav  include  cockpit  instru- 

p mentation  and/or  built-in  test  equipment.  For  the  mechanical 

and  fluid  pov^er  oortions  of  the  flight  control  system,  pro- 
visions for  the  use  of  portable  test  equipment  may  also  be 
incorporated  as  required  to  meet  the  maintenance  support  and 
operational  concent  of  the  particular  weapon  system, 

3 . 2 . 1 . 4 . 2 FCS  Warning  and  Ftatus  Annunication, 

FCS  Warning  and  Status  Annunciation  shall  be  provided  in  tlie 
cockpit.  Annunciation  shall  be  designed  to  clearly  indicate 
the  associated  degree  of  urgency. 


128 


a.  First  degree  - that  is:  Innnediate 
Action  Required 

b.  Second  degree  - Caution:  Action  may 
be  required 

c.  Third  degree  - Informational,  no 
immediate  action  required, 

A panel  comprising  means  for  displaying  first  degree  annuncia- 
tions shall  be  located  within  the  normal  eye  scan  range  of  the 
command  pilot,  A first  degree  warning  or  status  indication, 
v/hich  applies  only  to  a particular  mode  or  phase  of  flight, 
shall  be  inhibited  or  designed  to  clearly  indicate  a lesser 
degree  of  urgency  for  all  other  modes  or  phases  of  flight. 


3, 2, 1,4, 2,1 
This  display  shall: 


Preflight  Test  (Bit)  Status  Annunciation, 


a.  Indicate  the  progress  of  the  pre- 
flight  test, 

b.  Instruct  the  crew  to  provide  re- 
quired manual  inputs, 

c.  Indicate  laclc  of  system  readiness 
when  failure  conditions  are 
detected, 

3, 2, 1,4, 2,1  Failure  Status,  Failure  warninas  shall 
be  displaved  to  allov;  the  crew  to  assess  the  operable  status  of 
redundant  or  monitored  flight  control  systems.  Automatic  dis- 
enoagement  of  an  AFCS  mode  shall  be  indicated  by  an  appropriate 
warning  display.  Manual  disengagement  by  the  crew  shall  not 
result  in  warning  annunciation.  Loss  of  valid  signals  critical 
to  existing  modes  of  operation  for  PCS  or  flioht  director  shall 
result  in  appropriate  warnings  and/or  system  deactivation, 

4,2,2  Reliability  and  Failure  Mode  and  Effects 

Analyses,  When  required  by  the  procuring  activity,  reliability 
and  failure  mode  and  effects  analyses  shall  be  performed  to 
analytically  demonstrate  that  the  PCS  satisfies  the  requirements 
of  3,1,6  and  3,1.7.  When  required  by  the  procuring  activity, 
the  Reliability  Program  Plan,  defined  by  MIL-STD-785,  shall 
outline  steps  to  be  used  to  perform  these  analyses. 


129 


APPENDIX  III 


Mathematical  Addenda 

Given  the  probability  iiiodel  as  described  in  Section  3 we 
note  the  following  relationships: 

III-1  a = P(A  |f)=  P(FA) 

pTfT” 

III-2  P = P(F|A)=  P(FA) 

fTaT 

III-3  P(FA)  + P(FA)  = P(F) 

III-4  P(FA)  + PvFA)  = P(A) 

III-5  F(FA)  + P(FA)  + P(FA)  + P(FA)=  1 

From  (Ill-I)and  (III-2)  we  obtain 
III-6  P(FA)  = aP(F) 

III-7  P(FA)  = 0P(A) 

and  from  (III-3)  and  (III-6) 

III-8  P(FA)  = (1-  a ) p(F) 

Substituting  P(A)  for  P(FA)  and  {1-«  ) P(F)  for  P(FA)  in 
(III-4)  and  solving  for  P(A)  yields 


III-9 


P(A) 


1-a 


P(F) 


Substituting  P(A)  of  (III-9)  into  (III-7)  yields 

III-10  P(FA)  = M1-a) 

“ 1-  p 

Finally,  substituting  (III-6)  (III-8)  and  (III-10)  into  (III-5) 
yields 

III-11  P(!^)  = 1 - (1-aP) 

1-  r * 


130 


Summarizing,  we  obtain 


III-12 

P(FA)  = oz 

III-13 

P(FA)  = (1-  « )z 

III-14 

P(FA)  = 0(l-a)  , 

T-  p 

III-15 

P(FA)  = 1 - (1-«|3)  _ 

-rrj-  ^ 

III-16 

P(A)  ® 1-  a 

where 

z = (P(F). 

From  (III 

-15)  and  the  inequality 
0<  P(i'A)  < 1 

we  obtain 

III-17  2 ^ 


As  indicated  in  Section  3,  a small  value  of  a is  desirable 
for  a given  test  but  a does  not,  by  itself,  reflect  the  detection 
capabilities  of  a test.  For  example,  a test  could  alarm  after 
every  application.  Such  a test  would  detect  all  failures  and 
hence  vi/ould  yield  a®  0.  A preferable  measure  of  failure  detec- 
tion capability  is  the  causal  counterpart  of  a;  i.e., 

7 ® P(i|f) 

where  f = event  of  a single,  random  failure  and  a = corresponding 
causal  alarm.  The  quantity,  7 , is  a direct  measure  of  failure 
detection  capability  and  can  be  evaluated  independently  of  fre- 
quency of  nuisance  alarms.  The  quantity,  7 , is  called  the 
"test  deficiency".  We  will  show,  by  means  of  an  example,  that 

7 S Q 

when  the  mission  time  is  sufficiently  small. 

Example 

In  this  example,  we  assume  that  failures  and  non-causal 
alarms  are  Poisson  distributed  in  time  with  rates  Apr  A A' 
respectively.  Then,  if  T = mission  time. 


III-18 


P(F)  « l-e“^F'"^ 


III-19 

P(FA)  = e"^F'^ 

III -20 

00 

P(FA)=e“^A  e'^F^  (X^T) 

k! 

- -XaT  -X„T  -vX„T 

= e A e F (e  F-1) 

IU-21 

P(  FA)  = e"^F^  e’^A^ 

m-22 

P(  FA)  = P{  F)  - P{  FA) 

= ( 1-c-Xf^)  - e e‘^F^ 

III -23 

o=P(FA)  = e’^A*^  e'^F*^  (e^^F^ 
P(F) 

III -24 

P(A)  = P(  FA)  + P(  FA) 

m-25 


-XipT 


-X.T  -X^T 


= 1-e  '"F  - e A e 


_T  VX„T.  ^ -X„T  , . -XaT. 
F (e  F)+e  F (1-e  A) 


- 1 -^aT  ->‘TrT  YX^T 
= l-e  A e F e F 

P = P(  = e'^F*^  ( 1-e'^A^) 

P(A)  _X.T  -X„T  vX„T 

1 -e  ''A  e F e F 


jf  T is  small  then 
III-26  P(F)  3 
P(FA)  3 
P(FA)  3:  y XpT 

P{  FA  ^ ^ 


a 

p 


XfT 

^A^ 


^1-y)  Xp,T 


1-Y) 


From  this  example  we  conclude  that  if  the  mission  time  is 
sufficiently  small  then 

P(FA)  ^ P (a  single  failure  and  no  alarm) 

P(FA)  ^ P (a  single  alarm  and  no  failure) 

P(FA)  2 P (a  single  failure  and  a causal  alarm) 

and  we  may  approximate  7 by  a , 


133 


APPENDIX  IV 


Redundant  Secondary  Actuators 

It  has  been  assumed  explicitly  throughout  all  of  the  trade- 
off studies  that  the  mechanical  voter  of  the  secondary  actuators 
is  a signal  selection  device  of  the  mid-valve  (MV)  type.  As  a 
consequence,  it  has  the  following  properties: 

In  the  absence  of  monitoring  the  signal  selector  is  a 
majority  device.  If  an  input  fails  and  is  detected  then  that 
signal  is  disqualified  and  the  SSD  proceeds  as  a majority  device 
with  the  remaining  signals.  The  output  fails  if  and  only  if 

• the  last  signal  input  fails  or 

• there  are  at  least  as  many  failed  (and  not 
disqualified)  inputs  as  non-failed  inputs. 

In  addition,  it  is  assumed  that  no  failure,  detected  or  not,  will 
result  in  damage  to  the  airframe  provided  that  the  good  signals 
are  in  the  majority  subsequent  to  the  failure.  Thus,  a single 
failed  channel  of  a triplex  channel,  detected  or  not,  will  not 
result  in  a transient  sufficient  to  cause  damage  to  the  airplane. 
In  practice,  a failure  transient  will  always  result  when  an 
active  failure  occurs.  The  severity  of  the  transient  is  in- 
fluenced by: 

• aircraft  dynamics 

• mode  of  operation  (i.e,,  rate  or  acceleration 
feedback,  etc. 

• dyn2unical  properties  of  the  actuators 

In  the  absence  of  details  regarding  these  influences  it  is 
impossible  to  characterize  the  effects  of  failures  whether 
detected  or  not.  Nevertheless,  some  insight  can  be  obtained  by 
considering  an  idealized  version  of  a mechanical  SSD  as  imple- 
mented in  several  existing  and  proposed  aircraft. 

1 , Force  Summing  Characteristics 

The  mechanical  quadruplex  arrangement  is  showrs  in  Figure 
IV-1.  It  is  assumed  that  the  detent  force  is  significantly  less 
than  the  maximum  force  input  of  the  servos,  otherwise  differen- 
tial pressure  feedback  would  affect  the  results. 


Referring  to  the  figure 


Vi  = 


^r'-^i  = 


K 


L 


X 


o 


f 


s 


z 


Secondary  actuator  ram  displacement,  i th  channel 
Detent  output  shaft  displacement,  i th  channel 
Detent  displacement,  i th  channel 
Linkage  compliance  or  spring  constant 
Primary  actuator  valve  displacement 
Detent  breakout  force 

Force  exerted  on  summing  shaft  by  i th  ram 
Total  force  on  summing  shaft  exerted  by  rams 
Alternate  equalization  signal,  i th  channel 


Figure  IV- 2 shows  an  analytical  block  diagram  of  the  mechanical 
SSD. 


By  making  the 

observation  that 

x.-x  = i./K.  , 
1 o 1 L 

did 

= 

X.  -x  ^ f , = a 

d 

1 o d 

1 

II 

X. -X  s - £ . = -a 

i o d 

we  can  represent  the  SSD  as  shown  in  Figure  IV-3.  From  the 
figure  it  can  be  seen  that  the  mechanical  SSD  is  a limited 
averaging  device  for  a soft  spring  and  becomes  an  MV  SSD  when 
the  linkage  compliance,  Kj^,  is  infinite  (or  if  Kp  = 0) . A 
conventional  representation  of  this  device  is  shown  in  Figure 
IV-4  and  an  electrical  implementation,  in  Figure  IV-5. 


2. 


Normal  Perfoinnance 


Establishing  the  dyneimical  performance  of  redundant 
actuators  is  a difficult  and  involved  procedure  and  one  which 
is  beyond  the  scope  of  this  study.  However,  assuming  ideal 
operation,  we  know  from  past  experience  that  the  voting  action 
of  the  mechanical  transducer  exhibits  an  undesirable  threshold 
effect  when  the  number  of  signal  inputs  is  even.  An  example  of 
this  effect  is  shown  in  Figure  IV-6  where  the  differences  between 
channels  are  caused  by  differences  in  commands  or  in  bias  differ- 


1 


135 


/I 


1 


i 


ences  in  follow-up  signals.  In  many  applications  the  threshold 
will  induce  a limit  cycle  oscillation.  The  threshold  can  be 
eliminated  or  reduced  by  equalizing  the  actuator  (see  Appendix 
VI)  or  by  insuring  that  all  signal  inputs  are  the  same. 

3.  Failure  Effects  and  Transients 

Most  failures  can  be  c.  assified  in  one  of  the  following 
categories: 

• Step  (usually  a hardover) 

• Slowover 


• Passive  (usually  a null  failure) 

• Oscillatory 

• Oyncunic  (i.e.,  gains,  time  constants,  etc.) 

In  this  section  we  are  primarily  interested  in  the  response  of 
the  actuators  to  hardover s,  null  and  oscillatory  failures. 

Because  a quadruplex  arrangement  reduces  to  a triplex  arrangement 
after  a detected  failure  the  transient  effects  of  failures  can 
be  estimated  for  both  arrangements  by  considering  the  following 
sequences  of  failures: 


• 

1st 

failure 

undetected 

2nd 

failure 

undetected 

• 

1st 

failure 

detected 

2nd 

failure 

undetected 

• 

1st 

failure 

undetected 

2nd 

failure 

detected 

• 

1st 

failure 

detected 

2nd 

failure 

detected 

Figures  IV-7  through  IV-12  show  the  effects  of  these  failure 
sequences  in  the  quadruplex  and  triplex  configurations.  In  all 
cases  the  failures  were  chosen  to  exhibit  the  most  severe  tran- 
sient effects.  Referring  to  the  figures 

Xj^  « i th  channel  input 

Xq  * MV  SSD  output. 


1 


136 


/. 


In  the  representation  of  the  output  it  is  assumed  that 

a.  Xj^  = X + 

b.  X£  > 0 

c.  di  < dj  < dj  < d^ 
where  x = nominal  signal 

and  dj^  = fixed  offset,  i th  channal. 

From  the  figures  it  can  be  seen  that 

• The  transient  which  accompanies  the  first  failure 
is  determined  by  the  channel  offsets. 

• Transients  due  to  disengaged  failures  can  be  more 
severe  than  the  transient  which  accompanied  the 
failure.  But  in  no  case  is  the  disengage  transient 
more  than  twice  the  amplitude  of  the  failure  transient. 

• Loss  of  control  does  not  always  result  from  two 
undetected  failures  in  a triplex  or  quadruplex  SSL;. 

Loss  of  control  depends  upon  direction  of  the  two 
failures. 

• In  the  quadruplex  SSD  two  hardover  failures  in  the  same 
direction  result  in  passive  loss  of  control. 

• In  a triplex  SSD  two  hardover  failures  in  the  same 
direction  result  in  a non-passive  loss  of  control. 

• Extrapolating  to  passive  failures,  loss  of  control  in 
the  triplex  and  quadruplex  configurations  is  always 
passive  if  at  least  one  of  the  undetected  failures 

is  passive  (fails  to  null). 

Transients  due  to  servo  failures  can  be  eliminated  (assuming 
follow-up  biases  are  neglibible)  by  providing  a common  servo 
command  from  all  channels.  Even  with  common  commands,  transients 
due  to  failures  of  the  upstream  units  could  propagate  to  the 
surface — as  from  the  common  signals  from  the  sensor  SSD's. 

Oscillatory  Failures 

The  effects  of  an  oscillatory  failure  can  be  seen  in 
Figure  IV-13.  The  oscillation  is  propagated  to  the  output  with 
an  amplitude  determinded  bv  the  channel  offsets.  The  frequency 


137 


of  the  oscillation  is  determined  by  the  failed  component  and  the 
local  area  effected.  The  combined  effect  of  an  undetected 
oscillatory  failure  and  large  channel  offsets  could  result  in  an 
undesirable  airplane  response. 

Summary 

It  has  been  shovm  that  the  effective  voting  properties 
of  force  summed  secondary  actuators  approximate  an  idea]  mid- 
value signal  selector  device  with  some  degree  of  limited  averag- 
ing. If  channel  offsets  can  be  eliminated  or  reduced  to  accept- 
able levels  then  performance  proceeds  undegraded  in  the  presence 
of  a detected  or  undetected  single  channel  failure  in  both  the 
triplex  and  quadruplex  configurations. 


128 


/<2ie  ^iM9C/2r/9r/Q^ 


/%^/2*>eA«972?- 

/=o^  /z/rr/OA/ 


ANALYTICAL  BLOCK  DIAGRAM 
OF  MECHANICAL  SSD 
FIGURE  IV- 2 


-a. 

y — 

CL 

SLOJ^^ 


EQUIVALENT  ANALYTICAL  BLOCK  DIAGRAM 
OF  MECHANICAL  SSD 
FIGURE  IV-3 


■wv 


Channel  4 Comm?"d  O— — vw 


SIGNAL  SELECTION  DEVICE 
Four  Channel  Operational  Amplifier  Type 
FIGURE  IV-5 


14J 





Eff('c*-G  of  liardovor  Failures  in  a Quadru- 
picx  rn'  SSD 

".St  raxlure  Undetected,  2nd  Failure 
Detect  ec' 

■•st  rail  .re  Detected,  2nd  Failure 
Undctect(  1 

FIGURE  IV- 8 


lafc 


II 


\ 


osrecreo 


cerecrso 


^/^£3  0er^CT£0 


/VC  o/  ■sorvT'/^o/. 


Effects  of  Ilardover  Failures  in  a Quadru- 
plex  MV  GSD 

1st  Failure  Detected,  2na  Failure 
Detected 

FIGURE  IV-9 


1 


{ 

i 


"3 


£>^£C7£^D 


Effects  of  llardover  Failures  in  a Triplex 
fW  SSD 

1st  Failure  Undetected,  2nd  Failure  Detected 
Isc  Failure  Detected,  2nd  Failure  Undetected 
FIGURE  IV-11 


149 


I 1 
1 

i Effects  of  llardover  Failxires  in  a Triplex 

IW  SSD 

1st  Failure  Detected,  2nd  Failure  Detected 

FIGURE  IV-12 


150 


I 


APPENDIX  V 
The  Digital  Computer 

1 . Basic  Architecture  and  Functional  Description 
c . System  Organization 

The  organization  of  a single  thread  digital  automatic 
flight  control  system  (AFCS)  is  shown  in  Figure  V-1,  The  primary 
unit  is  the  digital  processor  which  will  be  described  in  detail 
subsequently.  All  of  the  remaining  components  are  associated 
with  the  input/output  (I/O)  interface. 

b.  Digital  Processor  and  I/O  Organization 

For  purposes  of  the  study,  it  is  assumed  that  the 
basic  digital  processor  is  a single  address  minicomputer.  While 
existing  computers  differ  in  details,  they  are  sufficiently 
similar  in  organizational  structure  to  justify  the  use  of  a 
"typical"  organizational  block  diagram.  Because  it  is  typical 
and  because  detailed  information  is  available,  it  was  decided  to 
use  the  organizational  structure  of  the  Bendix  BDX-910  digital 
computer.  The  organizational  block  diagram  of  the  computer  and 
associated  I/O  is  shown  in  Figure  V-2. 

c,  T/0  Interface 

The  I/O  interface  consists  of  the  following  components: 

(1)  Signal  conditioners  and  prefilters  for  all  dc 
input  signals.  The  prefilters  suppress  high  frequency  sensor 
noise  which,  in  a digital  system,  would  otherwise  "fold"  into 
a lower  frequency. 

(2)  Demodulators  for  AC  inputs. 

(3)  Analog  to  digital  (A/D)  converters  and  multi- 
plexers if  the  A/D  is  time  shared. 

(4)  Discrete  input  signal  translators  and  signal 
conditioners. 


(5)  Serial  receivers,  decoders  and  buffer  storage. 

(6)  Parallel  and  serial  data  links  for  communication 
between  computers. 


DIGITAL  COMPUTER  AND  ASSOCIATED  I/O 
FIGURE  V-2 


154 


Best  Available  Copy 


(7)  Digital  to  analog  (D/A)  converters  and  multi- 
plexers if  the  D/A  is  time  shared, 

(3)  Sample  and  hold  circuits. 

(9)  Post  filters  - To  reduce  intersample  ripple  and 
frequency  folding. 

(10)  Discrete  output  registers. 

(11)  Serial  transmitters  and  encoders. 

(12)  I/O  Controller  - This  unit  controls  the  timing 
and  gating  of  the  I/O  and  DMA, 

(13)  Direct  memory  access  controller  - Although  shown 
as  a separate  unit  this  controller  is  part  of  the  I/O  controller. 

(14)  Oscillator/Cloc)c  - This  is  the  basic  timing  mech- 
anism of  the  computer.  It  consists  of  a 16  MHZ  oscillator  and 
counters  which  yield  submultiples  of  the  oscillation  frequency. 

(15)  Power  Supply  - A single  power  supply  supplies  the 
power  for  both  the  digital  processor  and  I/O.  In  some  cases  the 
core  memory  has  its  own  separate  pov/er  supr.ly. 

d . Digital  Processor 

The  digital  processor  consists  of  the  followdng 
components : 

(1)  Program  Counter  - This  register  contains  the 
address  of  the  next  instruction  to  be  executed. 

(2)  Memory  Address  Register  (MAR)  - This  register 
stores  the  memory  address.  At  the  issuance  of  an  appropriate 
' nahle  pulse,  the  word  whose  address  is  in  the  MAR  is  either 
r'Mu  or  replaced. 

(3)  Memory  - This  unit  consists  of  between  4k  and  64 K 
■ i;  ‘-it  words  of  storage  for  either  instructions  or  data.  The 
memory  *s  usually  a core  or  semiconductor  type.  Onlv  o oortion 
of  the  semiconductor  memory  can  be  overwri-ten.  The  entire  c.ortj 
memory  can  be  overwritten  unless  the  write  capability  is  hard- 
•virf  i nhihi  ted  . 

(4)  0-Register  - This  is  a general  purpose  register 
used  as  r.  huf^ei  register  for  I/O  interfacing  or  writinci  into 
t‘;e  uuratch  pad  registers. 


J 


I 


(5)  Scratch  Pad  Address  Register  (SPADDR)  - This 
register  contains  the  address  of  one  of  the  arithinetic  or  index 
registers.  Its  function  is  the  same  as  the  MAR. 


(6)  Scratch  Pad  (SP)  - The  scratch  pad  consists  of  the 
arithmetic  and  index  registers.  It  is  always  possible  to  over- 
write a scratch  pad  register. 


(7)  Arithmetic  Operator  - This  unit  performs  the 
arithmetic  and  logic  operations  such  as  shifting,  complanenting, 
adding,  subtracting,  multiplying  and  dividing.  It  is  also  used 
as  a simple  gating  register. 


(8)  Controller  - This  is  the  brain  of  the  computer. 
It  decodes  each  instruction  and  generates: 


(a)  Gating  Signals 


(b)  I/O  and  DMA  txming  strobes 


(c)  Logic  levels 


It  also  selects  appropriate  arithmetic  functions 
and  enables  memory  read/write. 


(9)  Memory  bus  (M-bus),  E-bus,  R-bus  - These  are 
parallel  data  busses  used  for  intercomputer  transfer  of  data. 


(10)  I/O  bus  - This  is  a parallel  data  bus  which  inter- 
faces with  the  I/O  devices. 


(11)  Direct  memory  access  (DMA)  - Direct  memory  access 
is  the  provision  to  transfer  external  data  directly  into  memory 
without  requiring  software  control  or  processor  time  for  alter- 
nate fetches  and  execution.  DMA  is  considered  a part  of  the 
I/O  even  though  Figure  V-2  shows  separate  I/O  and  DMA  controls. 


(12)  DMA  bus  - This  is  a parallel  data  bus  which  inter- 
faces with  DMA  devices. 


(13)  Intercomputer  data  link  - In  the  BDX-910,  the 
data  link  consists  of  either  a parallel  or  serial  bus  and  a 
buffer  which  is  used  exclusively  for  communication  between 
computers. 


Functional  Operation 


The  functional  operation  of  the  computer  will  be 
described  by  means  of  an  example. 


(1)  At  'power  on'  an  interrupt  is  generated  by  the 
"power  on"  monitor  in  the  I/O.  This  causes  the  controller  to 
insert  a (hardv^ired)  starting  address  on  the  I/O  bus  which  is 
then  transferred  to  the  P-counter  and  MAR.  Thereafter  the 
P-counter  is  normally  incremented  by  the  least  significant 
bit  unless  otherwise  instructed. 

(2)  Suppose  the  initial  instruction  calls  for  a trans- 
fer of  data  from  a memory  location  to  an  SP-register.  In  this 
case,  the  instruction  will  contain  the  address  of  both  the  memory 
word  and  SP-register. 

(3)  The  controller  gates  the  contents  of  the  P-counter 
into  the  MAR  via  the  M-bus. 

(4)  The  contents  of  memory  (which  contains  the  in- 
struction) is  read  out  and  transferred  to  the  controller  via  the 
M-bus.  Simultaneously,  the  contents  of  the  M-bus  are  gated  to 
the  Q-register  via  the  E-bus.  Those  bits  which  reference  the 
SP-register  are  gated  into  the  SP  address  register. 

(5)  The  controller  next  gates  those  bits  of  the  inst- 
struction  which  reference  the  memory  location  from  the  0-register 
to  the  MAR  via  the  E and  M busses.  The  data  word  is  then  read 
out  of  memory  and  gated  onto  the  M-bus.  From  the  M-bus,  the  data 
is  transferred  to  the  SP  register,  as  dictated  by  the  SP  address 
register,  via  the  E-bus,  0-register  and  R-bus. 

The  controller  is  now  ready  for  the  next  instruction. 

Characteristics  Peculiar  to  Digital  Systems 

The  two  most  distinguishing  characteristics  of  a 
digital  system  are: 

o The  extent  to  which  components  are  time  shared  and 

o The  discrete  word  signal  and  computational  format, 
f . Advantages  of  Time  Sharing 

(1)  Permits  utilization  of  sophisticated  algorithms 
without  a proportional  increase  in  size,  cost,  weight,  etc. 

(2)  Permits  standardization  of  components  and  con- 
sequent refinement  of  manufacturing  processes  which  tends  to 
significantly  increase  component  reliability. 


157 


(3)  Facilitates,  at  least  in  principle,  self  checking 
of  the  time  shared  components. 

g.  Advantages  of  Discretization 

(1)  No  tolerance  buildup  in  signal  chain  once  data 
has  been  converted. 

(2)  Almost  total  insensitivity  to  noise  in  the  signal 
chain  once  data  has  been  converted. 

(3)  Permits  standardization  of  components  which 
results  in  improved  reliability. 

(4)  The  discrete  work  format  is  ideal  for  logic 
computations. 

The  absence  of  tolerance  buildup  in  the  signal  chain 
permits  extremely  accurate  cross-channel  monitoring.  Any 
differences  which  do  exist  are  the  result  of  sensor  differences 
or  a possible  out-of-synch  condition  of  one  computer  cycle, 

^ Thus,  with  sensor  monitoring  excluded,  the  problem  of  nuisance 

alarms  is  practically  eliminated, 

2 . I/O  Interface 

a.  Analog  Input  and  Output  Signals 

Analog  input  signals  are  first  handled  by  passing 
tuem  through  a lag  pre-filter  as  shown  in  Figure  V-3,  Note  that 
> provisions  are  made  for  both  single  wire  and  two-wire  type 

signals.  The  resistance  of  the  lag  also  serves  as  part  of  the  j 

scaling  of  the  input.  The  input  is  then  presented  to  an  input 

multiplexer  appropriate  to  the  signal  class,  either  one-  or  two- 

wire  and,  in  the  case  of  A.C,  signals,  strobed  for  peak  value 

lo'_c.-ction. 

The  outputs  of  the  inout  multiplexers  are  then  reduced 
to  single— ended  signals  (if  reguired)  and  gain  adjusted  in  groups, 
croup  multiplexer  then  selects  the  signal  for  conversion. 

The  A/D  converter  is  a high  speed  successive  approxi- 
-ation  device  (Figure  V-4)  using  several  LSI  and  hybrid  micro- 
circuits,  Use  of  a high  speed  A/D  makes  possible  the  digitizinc 
of  A.C.  as  well  as  D.C.  signals  without  additional  hardware  by 
’"or.tricting  the  selection  of  A.C.  inputs  to  the  time  of  the  peak 
' r the  A.C.  reference. 


15«  1 


I 


Figure  V-5  shows  the  method  of  handling  analog  outputs. 
Digital  output  data  is  held  in  a buffer  register  while  being 
convortf'd  to  analog  form  by  a high  speed  D/A  converter.  The 
analog  output  voltage  is  then  impressed  on  the  holding  capacitor 
of  the  appropriate  output  channel  by  means  of  an  F,  E,  T.  de- 
multiplexer. The  demultiplexer  has  suitable  'ON'  and  'OFF'  imped- 
ances for  use  in  this  'sample  and  hold'  configuration.  These 
circuits  also  make  maximum  use  of  large  scale  integration  and 
hybrid  circuit  techniques. 

The  output  of  the  holding  capacitor  is  buffered  by  an 
extremely  high  input  impedance  buffer  amplifier  and  transformed 
to  suitable  levels  for  the  outputs.  A low  pass  filter  function 
is  included  as  part  of  the  output  buffering  for  those  outputs 
v;here  the  ripple  component  must  be  reduced. 

b.  Discrete  Input  and  Output  Signals 


There  are  cases  where  it  is  advisable  (by  virtue  of 
short  wire  runs,  safety,  or  lack  of  sufficient  data  to  be 
transferred)  to  use  single  'dedicated'  wires  to  communicate 
single  on/off  functions,  A typical  signal  in  this  class  could 
be  a validity  signal  from  a sensor,  or  a self-test  command  to 
a sensor. 

For  best  noise  immunity,  it  is  recommended  that  dis- 
crete signals  to  or  from  points  outside  any  package  be  at  a 
28  vdc  level.  These  signals  are  readily  handled  on  single  un- 
shielded conductors  in  aircraft  wiring. 

VThere  this  is  not  possible,  use  of  lower  level  signals 
(5  volts)  is  permissible  if  twisted  pair  (preferably  shielded) 
wiring  is  used  along  with  a balanced  receiver  circuit. 

Figure  V-6a  shows  a typical  28  volt  discrete  driver. 
This  driver  is  current  limited  and  transient  suppressed  as  pro- 
tection against  'normal'  pick-up  transients  and  faults.  A 
matching  receiver  is  shown  in  Figure  V-6b,  The  use  of  a high 
resistance  divider  into  the  first  CMOS  inverter  allows  use  of 
the  internal  clamping  of  the  inverter  for  transient  protection. 
The  high  input  impedance  of  the  second  inverter  allows  large 
noise  filter  lag  time  constants  using  conveniently  small  capaci- 
tor values. 


Figure  V-6c  shows  a typical  balanced  line  receiver  for 
low  level  discretes. 


Parallel  and  Serial  Interconrouter  Data  Links 


Digital  Data  Links 


Various  information  transfers  are  required  between 
digital  processors  comprising  the  PCS  and  between  these  proces- 
sors and  other  aircraft  systems. 

Data  links  to  other  aircraft  sybcems  are  fre- 
quently outside  the  direct  control  of  the  PCS  designers,  being 
dictated  by  the  airframe  or  avionics  contractor.  Where  control 
is  possible,  it  is  recommended  that  these  data  links  conform  to 
the  same  standards  as  recommended  in  the  following  section  de- 
scribing intra-PCS  digital  data  transmission. 

Inter-Computer  Data  Links 

In  considering  a system  of  interconnected  digital 
computers  such  as  might  be  required  for  a FBVI  PFCS,  data  transfer 
between  computers  offers  an  area  of  design  where  the  function  and 
economies  of  the  system  can  be  enhanced  or,  alternatively, 
seriously  degraded.  The  following  presents  some  of  the  important 
design  considerations  necessary  to  select  a data  link  scheme. 

Types 

Binary  data  may  be  handled  word-parallel  or  v;ord- 
serial  and,  for  each  of  these,  bit  parallel  or  bit  serial.  Word 
parallel  effectively  means  separate  wiring  for  each  parameter  to 
be  transmitted  and  would  be  indicated  only  for  extremely  high 
data  rates  (perhaps  105  updates  of  the  parameter  per  second)  or 
very  special  conditions  of  isolation  or  security. 

Given,  then,  that  the  parameters  will  be  trans- 
mitted word-serial  (that  is  to  say,  the  parameters  will  be  trans- 
mitted in  some  sequence  over  one  channel),  it  becomes  necessary 
to  select  bit-parallel  or  bit-serial  (or,  more  conveniently 
stated,  parallel  or  serial)  transmission.  A third  possibility  is 
called  byte-serial,  where  portions  of  words  are  transmitted 
sequentially  (serially)  \rith  each  portion  being  in  parallel 
format.  This  scheme  will  not  be  discussed  further  here  because, 
in  the  context  of  straight  binary  intercomputer  communication,  it 
seems  to  come  closer  to  combining  disadvantages  than  to  taking 
the  best  of  each. 


I 


Considerations 


The  priroar/  consideration  in  selecting  a data 
link  scheme  is  vhe  data  rate  requirement,  in  terms  of  total 
parameters  (parcuusters  times  updates  per  second)  transmitted  per 
second.  For  a parallel  system,  this  is  also  the  bit  rate  on  each 
of  the  wires.  The  bit  rate  of  a serial  system  is  the  data  rate 
times  the  bits  per  word.  The  bit  rate  is  important  in  that  it 
acts  as  a constraint  on  the  types  of  circuits  and  interbox  wiring 
which  may  be  used. 

Hand-in->'and  with  the  data  rate  is  the  size  of 
the  data  word.  As  a re-.listic  working  parameter,  a word  of  28 
bits  is  assumed,  consisting  of  one  marker  bit,  7 address  bits, 

15  data  bits,  3 spares  and  one  parity  bit.  For  the  serial  scheme 
four  inter-word  blank  bit  spaces  are  allowed  for  a total  of  32 
bit  times.*  A small  change  in  the  number  of  bits  required  should 
not  seriously  change  any  of  the  conclusions. 

For  the  FBW  PFCS  application  the  following  re- 
quirements for  a single  serial  data  link  are  estimated  as  suf- 
ficient to  insure  adequate  capability: 


Maximum  Sampling  Rate 
Data  word  length 

Address  word  length 

Parity 

Marker 

Spares 

Blanks 

Word  transfer  rate 
Clock  Rate 


1 00/sec 

16  bits  (15  bits  + 
sign  bit) 

7 bits 

1 bit 

1 bit 

3 bits 

4 bits 

1 0^/sec 
320  K Hz 


♦Transmission  is  assumed  to  be  autonomous  (as  Disposed  to 
command/response,  for  example) . 


166 


In  selecting  a data  link  scheme,  hardware  con- 
siderations come  into  play.  The  buffer  registers  in  either 
serial  or  parallel  schemes  need  not  be  too  different  in  terms  of 
size  and  cost.  In  terms  of  differences,  serial  schemes  generally 
require  more  timing  and  control  circuitry  and  probably  require 
more  sophisticated  encoding  and  line  driver  and  receiver  equip- 
ment. bn  the  other  hand,  the  parallel  scheme  requires  16*  line 
circuits  to  the  serial  scheme's  one,  although  the  parallel  line 
circuits  may  each  be  somewhat  simpler.  A parallel  link  is 
estimated  to  require  between  tv/o  and  five  times  the  hardware  of 
an  equivalent  serial  link.  Ship's  wiring  between  computers  is 
similarly  impacted:  Serial  links  requiring  one  somewhat  more 

sophisticated  v;iring  path  compared  to  the  requirement  of  16 
paths  for  parallel  operation.  This  might  trade  off  as  one 
shielded  twisted  pair  versus  one  16-pair  bundle.  Obviously, 
this  factor  is  strongly  effectea  by  the  computer  locations  and 
the  resulting  path  lengths. 

Vulnerability  of  the  data  link  to  noise  picJ;up  is 
a matter  of  concern,  but  is  more  a function  of  the  electrical 
scheme  used  than  of  the  serial/parallel  selection.  The  serial 
scheme  uses  a somewhat  wider  bandwidth  channel  meaning  somewhat 
greater  noise  sensitivity.  On  the  other  hand  the  serial  channel 
is  likely  to  be  somev;hat  more  sophisticated  due  to  it  being  a 
single  channel-every  increase  in  complexity  is  multiplied  by  one 
rather  than  16, 

It  is  not  contemplated  that  any  sort  of  error 
correcting  code  by  used  in  this  application,  due  to  the  added 
channel  requirements  and  circuitry.  A simple  parity  bit  is 
recommended  to  pick  up  simple  hardware  failures,  broken  wires, 
and  similar  defects. 

A more  serious  consideration  included  in  the  term 
'vulnerability'  is  vulnerability  to  failure  propagation  from  line 
to  computer  or  computer  to  computer.  Any  reasonable  failure  or 
sequence  of  failures  associated  with  the  line  driver,  line  re- 
ceiver, or  the  line  itself  should  not  cause  dysfunction  of  other 
than  that  particular  data  link. 

Routing 

Various  possibilities  exist  in  providing  data 
communications  between  computers. 


* Additional  lines  may  be  required  for  coding  and  addressing. 


I 


Several  factors  enter  into  the  selection  of  the 
routing,  one  of  the  more  important  (after  providing  sufficient 
line  data  handling  capacity)  being  the  consequences  of  a line 
(including  driver  and  receiver)  failure.  This  should  not  cause 
a loss  of  communication  with  other  channels  in  order  that 
failure  isolation  can  taJce  place  without  causing  the  dropping  of 
a good  computer  due  to  one  line  failure.  Similarly,  a failure 
in  one  unit  should  not  be  able  to  disrupt  communications  between 
two  other  units. 

A two  way  channel,  i.e.,  A to  B and  B to  A on  one 
set  of  wires,  obviously  saves  intercomputer  wiring.  The  line 
drivers  and  receivers  are  almost  the  same  in  either  case,  except 
that  channel  occupancy  must  be  detected.  The  real  difference 
lies  in  the  requirement  that  only  one  computer  can  transmit  at  a 
time  meaning  that  the  two  computers  must  be  different  in  order 
that  one  is  'first 'and  the  other  'second'  within  some  time  frame. 
This  complicates  the  software  required  to  execute  a data  transfer 
considerably  and  may  even  result  in  a program  lock.  The  impli- 
cations of  two  way  links  in  schemes  which  require  fully  synch- 
ronous computers  remain  to  be  determined. 

Encoding 

Numerous  codes  have  been  used  for  transmitting 
digital  data.  Four  of  these  are  shown  in  Figure  V-7, 

The  NRZ  (Non  Return  to  Zero)  code  is  shown  as  a 
three  line  code  and  illustrates  the  three  elements  which  must  be 
transferred.  Some  type  of  word  sync  is  necessary  to  identify  the 
start  of  a word.  This  is  shown  as  a pulse  occurring  during  the 
first  bit  of  the  word.  Similarly  a clock  pulse  train  is  required 
to  identify  a bit  interval.  Finally,  the  data  must  be  trans- 
mitted. In  this  simple  sy^item  three  separate  paths  are  used 
resulting  in  very  simple  encoding/decoding  circuits  at  the  cost 
of  extra  line  circuits.  This  simple  system  is  specified  for 
ARINC  561  Inertial  Navigation  Systems.  Other  versions  of  this 
system  rely  on  clock  and  vrard  synchronization  between  trans- 
mitter and  receiver,  transmitting  only  data.  In  parallel  systems, 
v/ord  synch  is  not  needed  as  a whole  word  is  sent  each  bit  inter- 
val while  only  one  clock  needs  to  be  transmitted  for  all  the 
bits  of  a word. 


A completely  self-clocking  code  is  the  RZ  (Return 
to  Zero)  Bipolar  code  specified  for  ARINC  575  Digital  Air  Data 
Systems,  In  this  code,  a 'one'  is  represented  by  a positive 
voltage  pulse  while  a zero  is  a negative  pulse.  The  voltage 
returns  to  zero  between  pulses,  while  the  gap  between  words  is  a 
zero  voltage  for  several  bit  periods.  This  code  is  easily  de- 
coded as  the  clock  may  be  derived  by  simply  full-wave  rectifying 


168 


I 


the  input  with  virtually  no  timing  problemb  beyond  detecting  the 
word  gap.  Probably  the  greatest  disadvantage  is  the  three  volt- 
age level  structure  requiring  a somewhat  more  complex  driver 
than  would  otherwise  be  required.  Line  receiver  requirements 
are  also  ei"f actively  doubled. 

Two  somewhat  similar  codes  are  the  'Manchester' 
code  and  the  'Harvard  BiPhase'  code.  (The  'Harvard  BxPhase'  is 
specified  in  ARINC  573  for  Airborne  Integrated  Data  Systems) . 

Both  are  two  voltage  level  self-clocking  codes  which  carry  the 
information  in  the  voltage  transitions  rather  than  in  the  levels 
per  se.  The  Manchester  code  may  be  looked  at  as  a periodic  wave, 
the  period  of  which  represents  one  bit  time.  A 'zero'  is  encoded 
as  an  in-phase  (with  some  reference)  voltage,  while  a 'one'  is  a 
180°  out-cf-phase  (inverted)  voltage.  Applied  to  a square  wave 
this  produces  the  waveform  shown  in  Figure  V-7.  Note  two  things. 
First,  the  information  may  be  detected  as  the  direction  of  the 
mid-period  transition  or  as  the  voltage  level  during  either  the 
first  half  or  the  second  half  of  the  cycle  (as  long  as  we  are 
consistent) . And,  second,  since  the  input  (square  wave)  clock 
has  no  D.C.  component-  the  encoded  waveform  has  no  O.C.  component 
regardless  of  the  encoded  information. 

If  the  Manchester  code  is  similar  to  the  RZ  bi- 
polar code  in  that  the  'I's  and  'O's  are  encoded  as  opposite 
polarities  of  voltage  transitions  in  one  case  and  levels  in  the 
other,  then  the  Harvard  BiPhase  code  is  similar  to  the  NRZ 
Unipolar  example  given  in  that  a '1'  is  encoded  as  the  presence 
of  a mid-period  transition  or  level  (respectively)  while  a 'O'  is 
represented  as  the  absence  of  this  feature,  in  the  Harvard  code 
a transition  is  aaded  at  the  bit  period  edges  to  allow  self- 
clocking. The  Harvard  code,  like  the  Manchester,  has  no  D.C. 
component  although  the  Harvard  code  has  a somewhat  lower  fre- 
quency component. 

There  are  many  methods  of  encoding  signals  which 
are  in  use  today.  The  codes  shown  are  typical  coiles  which  have 
one  or  more  features  of  interest  for  the  intercomputer  data  link 
use. 

Implementation 


Typical  implementation  of  an  RZ  Bipolar  encoder 
and  decoder  is  shown  in  Figure  V-8.  The  encoder  uses  an  opera- 
tional amplifier  to  generate  the  bipolar  output  from  '1'  and  '0* 
pulses  provided  on  the  inverting  and  noninverting  inputs.  Trans- 
mission of  signal  and  transmitter  ground  is  by  shielded  twisted 
pair  to  a dual  differential  line  receiver  to  provide  a high 
degree  of  noise  immunity. 


170 


A shortcoming  of  the  circuits  sho%m  in  their 
behavior  under  'hot  short*  or  other  line  transient  conditions. 

The  receiver  probeO>ly  can  be  made  safe  against  propagating  the 
fault  voltage  into  or  signal  circuits  by  the  use  of  discrete 
resistors  and  clamping  diodes.  An  alternative  is  the  use  of  a 
pair  of  optically  coupled  isolators  on  the  inputs  as  shown  in 
Figure  V-8.  Protecting  the  line  driver  is  more  difficult  because 
of  the  low  output  impedance  required.  Microcircuit  line  drivers 
suffer  fr(»n  the  presence  of  a real  possibility  that  the  chip 
ground  lead  will  open  first,  siJajecting  signal  and  Vp^  pins  to 
the  line  transient.  Suitable  discrete  circuits  can  be  designed, 
but,  of  course,  they  increase  the  nunJ^r  of  piece  parts,  failure 
rate,  and  cost.  Note  that  transformer  ccMoling  cannot  be  used 
due  to  the  D.C.  component  necessary  xn  this  signaling  form. 

A suitable  encoder  and  decoder  for  Manchester 
code  is  shown  in  Figure  V-9.  P.  shielded  twisted  pair  is  again 
used  as  the  transmission  line.  The  amplifiers  shown  as  the  line 
transmitter  and  line  receiver  may  be  any  of  a number  of  standard 
opamps,  line  receivers  and  transmitters,  or  even  (for  the  trans- 
mitter) standard  logic  elements.  Isolation  using  cransformers 
is  an  entirely  feasible  way  of  limiting  fault  energy  transfer  to 
a level  safely  handled  by  the  line  circuits. 

The  use  of  square  wave  signaling  with  stable, 
accurate  clocks  allows  the  use  of  simple  single-shot  timing  as 
the  receiver  reclcck  generator  (shown)  and  the  gap  detector. 

A somewhat  similar  system  can  be  used  for  decoding 
the  Harvard  BiPhase,  except  that  the  edge  detector  would  lock  on 
the  bit  period  edge  transitions  with  the  single-shot  output  pro- 
viding a gating  pulse  for  the  bit  period  center  transitions  which 
signify  '1'x. 

d.  Recommendations 

Unless  there  is  a drastic  change  in  data  link 
requirements,  it  is  recommended  that  data  be  transferred  between 
computers  of  the  FBW  PFCS  by  means  of  data  links  having  the 
following  characteristics: 

(1)  One  way  transmission  on  each  path  to  simplify 
computer  timing,  allowing  two-way  simultaneous  transfers. 

(2)  Serial  data  transmission  with  a relatively  low 
bit  clock  in  order  of  500  kHz,  simplifies  hardware  while  allowing 
convenient  use  of  techniques  with  desirable  properties. 


172 


<0  o£-^/?y^o 
6S  /A//^r 


S5  ooT/^or 


Manchester  Code  Encode/Decode  Scheme 
V-9d 

MANCHESTER  CODE 
ENCODE/DECODE  SCHEME 
FIGURE  V-9 


(3)  Manchester  coding  on  the  data  link  using 

a square  wave  'carrier'  because  of  the  self-clocking  and  no  D.C, 
component  features  of  this  code.  Relatively  easy  to  encode 
and  decode  where  clock  frequency  is  accurate  and  stable. 

(4)  Independent  intercomputer  data  paths  to  the 
extent  necessary  to  achieve  isolation.  The  simplicity  of  the 
data  link  makes  this  independence  practical. 

(5)  Transmission  paths  using  shielded  twisted 
pair  conductors  for  superior  EMI  characteristics,  both  for 
susceptibility  and  emission. 

(6)  Differential  input  line  receiver  to  minimize 
common  mode  noise  pickup. 

(7)  Transformer  isolation  at  transmitting  end  of 
link  with  either  transformer  or  optically  coupled  isolators  at 
the  line  receiver.  This  is  necessary  to  prevent  faults  from 
propagating  beyond  the  hardware  associated  with  individual  line 
circuits. 


174 


APPENDIX  VI 


Sir.W^  SELECTION,  MONITORING  AND  EQUALIZATION 


This  Appendix  contains  discussions  of  the  follo'.'ring  aspects  of 
redundant  flight  control  system  design: 

....  Signal  selection  devices 

....  Equalization  techniques 

Conventional  types  of  sional  selection  devices  are  enumerated 
and  their  relative  merits  and  details  of  operation  are  discussed. 
Criteria  for  selection  of  a specific  device  are  examined.  The 
necessarv  distinctions  are  drawn  between  signal  selection  and 
monitoring.  The  effects  of  sional  selection  devices  on  per- 
formance and  operation  are  discussed,  and  the  effect  of  various 
types  of  failures  is  indicated  for  all  the  configurations. 
Aoplication  to  both  analoo  and  digital  flioht  control  systems 
are  made. 

The  use  of  equalization  tecunioues  for  minimizing  bias  or  drift 
errors  between  channels  of  a redundant  flight  control  system  is 
studied  next,  riathem.atical  criteria  are  derived  for  the  sta- 
bility of  equalization  loops,  and  the  relative  advantages  of 
different  enualization  schemes  are  pointed  out. 

Signal  Selection  Processes 


This  section  presents  a summary  of  the  operational  obiectives 
of  signal  selection, monitoring  and  self  test  in  the  context  of 
redundancy  management.  In  most  flioht  control  systems  sional 
selection  and  failure  detection  are  combined  in  a sinole  device. 
This  association  is  the  result  of  a desire  to  minimize  hard- 
ware by  sharing  components  and  does  not  necessarily  reflect 
an  inherent  inseparability  of  the  two  processes.  Tt  v;ill  be 
shown,  subsequently,  that  the  obiectives  of  signal  selection 
do  not  always  coincide  with  those  of  failure  monitoring.  As 
a conseouerce,  it  can  be  expected  that  both  processes  are  less 
than  optimal  wiien  conbined  in  the  same  device. 

In  digital  control  systems  the  computational  flexibility  of  the 
computer  can  accommodate  a variety  of  apnroaches  to  the  signal 
selection  ana  failure  detection  processes  without  a correspond- 
ing increase  in  quantity  and  complexity  of  hard\;are.  As  a 
consequence,  it  is  both  practicable  and  desirable  to  treat 
signal  selection  c.nd  failure  detection  as  distinct  processes. 


175 


Definition  of  Sinnal  Selection  Device  (SSD) 


A signal  selector  is  a device  (or  program  or  algorithm)  which 
yields  an  output  as  a function  of  two  or  more  inputs.  In  this 
general  context  a summing  amplifier  or  a complementary  filter 
are  signal  selection  devices.  The  device,  together  with  the 
inputs  and  outputs  make  up  the  signal  selector  process.  In  the 
context  of  redundancy  the  inputs  to  an  SSD  are,  in  some  sense, 
replicates  of  an  ideal  signal.  The  output,  however,  is  onlv 
renuired  to  be  a "usable"  replicate  of  the  ideal  input.  It  is 
not  necessarily  "better"  than  any  of  the  inputs  at  least  in  the 
conventional  sense  of  being  more  accurate,  less  noisy,  more 
re}  _*esentative,  etc, 

Dv  nition  of  Failure  Detection  Device 

A fai'.ure  detector  is  any  device  (or  program  or  algorithm) 
capable  of  detecting  and  annunciating  failures  either  of  compon- 
ents or  signals.  Failure  detection  capability  is  measured  in 
terms  of  the  parameters  “ and  fi  which  were  defined  in 
Appendix  III,  The  quantity  is  a measure  of  the  sensitivity 
to  nuisance  alarms  and  is  defined  by  the  conditional  probability 


fi  = p(f|a)  . 


The  rruantity  ® is  a measure  of  the  failure  detection  capability 
and  is  defined  by 


a = p(a|f)  where 


F = event  of  a failure  and  A * event  of  an  alarm, 

1 . Operational  Objectives  of  Signal  Selection 

Improved  Reliability  through  Cross  Strapping 

The  SHD  can  improve  system  reliability  by  providing  cross 
strapping  (i,e,,  alternate  path  routing)  of  input  sianals.  The 
SSD  can  in  principle,  provide  this  function  without  monitoring 
the  input  signals;  i,e,,  without  removing  a failed  signal.  Every 
SSD  is  essentially  a majority  device  if  the  output  is  independent 
of  the  failure  status  of  the  input  signals. 


176 


Reduce  Effects  of  Failures  and  Failure  Transients 


The  SSD,  acting  as  a majority  device,  can  mask  the  long 
term  effects  of  failures  and  reduce  failure  transients  to 
tolerable  levels.  This  is  the  primary  purpose  of  mechanical 
signal  selection  in  the  secondary  actuators. 

Provide  Common  Output  in  All  Redundant  Channels 

A SSD  can  provide  a common  output  in  all  redundant  channels. 
The  effiiCts  of  common  outputs  are: 

• Improved  Failure  Detection  in  Downstream  Units 

IThen  used  in  conjunction  v;ith  comparison  -•  type 
monitoring,  common  outputs  improve  failure  detec- 
tion by  reducing  nuisance  alarms  in  downstream 
units.  Common  outputs  are  especially  desirable  in  the 
detection  of  null  and  slov;over  failures. 

• Common  outputs  eliminate  the  threshold  character- 
istics of  downstream  mid-value  selection  devices. 

• Common  outputs  can  be  used  to  equalize  redundant 
channels 

Tolerance  Reduction 


A SSD  can  be  usti  to  obtain  a "good"  signal  reference  for 
(a)  improved  signal  accuraev  or  as  a (b)  reference  signal  for 
monitoring. 

2 . Operational  Objectives  of  Monitoring 

In  practice  theie  are  two  broad  categories  of  failure 
detection  processes: 

• Self  Test 

• Comparison  Testing 

The  intended  meaning  of  "self  test"  is  that  of  a digital  com- 
puter softvrare  program  or  any  detection  process  which  operates 
independently  of  the  other  channels.  "Comparison  testing" 
refers  to  any  detection  process  which  employs  the  other  channels 
as  models. 


TVo  basic  approaches  to  comparison  testing  are; 


• Cross- SSD  which  uses  the  output  of  an  SSD  as  the 

good  reference  signal  against  which  all  other  channels 
are  compared. 

• Cross-Channel  whicn  cotnparas  each  channel  with  the 
other  channels  and  operates  independently  of  anv  SSD's 
in  the  signal  chain. 

T'mical  cross-SSD  and  cross-channel  monitors  are  shown  in 
Figure  VI- 1 » as  they  might  appear  in  channel  1 of  a guadruplex 
configuration . A tradeoff  of  cross-SSD  versus  cross-channel 
comparison  monitoring  is  given  in  Reference  5. 

Pre-riiqht  Failure  Detection 

Tn  order  to  maintain  the  operational  capability  of  a re- 
dundant system, failures  must  be  detected  and  replaced.  Relia- 
bility goals  may  impose  severe  requirements  on  pre-flight  test 
efficiency. 

In-Flight  Failure  Detection 

Improved  Cross  Str'^pping  Benefits  of  the  SSD 

Ry  detecting  and  removing  a failed  signal  failure 
detection  can  improve  the  benefits  of  an  SSD  relative  to  its 
cross  strapping  function.  As  an  example,  without  failure 
detection  the  output  of  an  SSD  with  four  inputs  will  fail 
after  two  inputs  have  failed.  ^Uth  failure  detection  the  out- 
put could  conceivably  only  fail  after  four  of  the  inputs  have 
failed.  There  is  an  obvious  trade-off  here  between  the  prob- 
ability cf  tv?o  failures  versus  the  probability  of  those  com- 
binations of  detected  and  undetected  failures  and  nuisance 
alarms  v/hich  will  cause  disengagement  of  the  device. 

Reduced  Failure  Effects  and  Transients 


An  undetected  failure  of  an  input  signal  to  an  SSD 
can  have  an  undesirable  effect  on  the  output  particularly  in 
the  region  of  small  amplitudes.  Oscillator’/  failures  are  es- 
pecially undesirable  because  they  can  induce  sustained  oscil- 
lations of  the  output,  albeit  of  small  amplitude.  In  an  SSD 
in  which  averaging  is  performed  over  a limited  region  a sus- 
tained failure  will  result  in  a reduction  in  gain  within  the  region. 
Failure  detection  and  disengagement  can  be  a mixed  blessing. 

It  v7ill  be  sho’^'n,  subsequently,  that  disengagement  may  fre- 
quentlv  cause  a transient  v’hich  is  more  severe  than  the 
transient  vi’hich  resulted  at  the  onset  of  the  failure. 


178 


C<Mm/Sr/rno^ 


C/e055  55D 


C/SiPSS  (T///FF^A^^C  CO^/^/F^/SO/V 

COf^PARISON  MONITORING  TECTNIOUES 
FIGURE  VI- 1 


9 


Supplements  Pre-Flight  Test 

In-flight  failure  detection  may  be  considered  an 
extension  of  pre- flight  test.  By  running  continuously  in  the 
actual  aircraft  environment,  in-flight  failure  detection  can 
be  very  effective  in  detecting  failures  which,  in  a ground 
environment,  would  be  difficult  to  detect. 

Failure  Status  Annunciation 

Failure  annunciation  is  necessary  if  tlie  pilot  is  to 
decide  between  continuing  or  edsorting  the  mission. 

3.  Examples  and  Application  of  Signal  Selection  Devices 

In  subsequent  sections  vre  will  concentrate  our  attention 
on  three  conventional  signal  selection  processes: 

Limited  Averaging  (LA  SSD) 

In  this  process  the  output  is  the  average  of  the  in- 
puts until  an  input  varies  from  the  average  by  a predetermined 
distance.  When  this  occurs  the  input  is  voted  out.  A typical 
output  response  is  shown  in  Figure  VI- 2 where  d » maximum 
variation  from  the  average. 

Mid-Value  Selection  (MV  SSD) 

If  the  number  of  inputs  is  odd  then  the  output  is 
the  mid-value.  If  the  number  of  inputs  is  even  then  the  output 
is  the  mid-value  of  the  inputs  and  zero. 

Mux  Gate 


In  this  process  one  of  the  inputs  is  gated  to  the 
output.  If  the  same  input  is  gated  to  the  output  in  all  channels 
the  process  is  called,  "consolidation".  Gating  logic  is  acti- 
vated bv  the  failure  monitor.  The  gating  strategy  depends  upon 
the  application. 

Figure  Vl-3  shows  typical  placements  of  SSD's  in  the 
fliaht  control  application.  The  objectives  of  each  SSD  depend 
upon  its  location  as  the  following  summary  indicates. 


180 


1B2 


Xii 


objectives 


Sensor  SSD 


• Improved  reliability  through  cross  strapping  the 
sensors  and  computers.  The  imnrovement  in  relieibility 
can  be  considerable  even  without  the  improved  benefits 
of  monitoring. 

• Improved  failure  detection  in  downstream  units  due  to 
common  outputs  in  all  channels.  This  presupposes 
comparison-type  monitoring. 

• Improved  dynamic  performance  of  dovmstreo?’.  SSD’s  due 
to  common  outputs. 

• Equalization  of  redundant  channels  via  common  outputs 
in  all  channels. 

• Sensor  signal  selection  can  be  performed  by  the 
digital  controll'  j.  Each  computer  inputs  one  sensor 
of  a set  and  transmits  the  converted  value  to  the 
other  computers  via  the  intercomputer  data  links. 

With  this  arrangement  loss  of  a computer  results 

in  loss  of  its  associated  sensor. 

Digital  Computer  SSD 

• Equalization  of  Integrators  - This  SSD,  which  operates 
on  signals  which  are  generated  in  the  digital  com- 
puter, is  used  for  integrator  equalization  in  the 
event  that  the  sensor  SSD's  do  not  supply  a common 
signal  in  all  channels.  The  cross  strapping  of  the 
sensors  could  be  such  that  small  differences  betv/een 
channels  develop  due  to  I/O  and  A/D  converter  toler- 
ances and  biases.  While  such  differences  may  have 

a negligible  effect  on  the  dynamics  characteristics 
of  dcr-mstream  SSD's,  they  will,  eventually,  cause 
the  channel  integrators  to  diverge. 

Actuator  Command  SSD 


• Improved  reliability  through  cross  strapping  the 
computers  and  servos.  This  objective  reouires 
dedicated  SSD's;  i.e.,  independent  of  the  major 
failure  modes  of  the  digital  computers. 

• Improved  failure  detection  in  servos  due  to  common 
servo  commands. 


183 


• Improved  dynamic  performance  of  actuator  SSD  due  to 
common  commands.  The  dynamic  performance  problem, 
ho;-rever,  may  be  merely  transferred  to  upstream  SSD's. 

Actuator  SSD 


• Reduced  failure  effects  and  failure  transients  - By 
appropriate  selection  the  effects  of  command  and  servo 
failures  are  reduced.  As  an  additional  consequence, 
failures  need  not  be  detected  immediately  as  they 
occur. 

Disadvantages  of  Signal  Selection 

• Introduces  undesirable  dynamic  characteristics 
particularly  in  the  region  of  small  amplitudes. 

• Susceptible  to  common  mode  failures  - As  an  example, 
a Mux  Gate  of  the  consolidated  type  will  pass  a 
failed  signal  to  all  channels  until  it  is  detected 
and  gated  out. 

• Masks  failures  as  seen  by  downstream  units  - A 
poorly  designed  SSD  could  pass  a failure  to  all 
channels.  An  SSD  of  this  type  reouires  a highly 
efficient  (and  demonstrably  so)  in-flight  test. 

• Requires  interchannel  isolation  - Because  signals 
from  all  channels  feed  a single  SSD,  a common  failure, 
even  if  detected,  could  propagate  to  all  channels. 

• Could  result  in  disengagement  of  all  channels  due 
to  a single  failure.  If  the  SSD  is  used  to  supply 

a reference  signal  to  a monitor  then  a single  failure 
could  result  in  disengagement  of  all  channels.  Such 
a phenomenon  has  actually  been  observed  (in  Reference 
5,  Monitoring  Avalanche,  Page  145). 

• Could  increase  tolerance  build-up  - A poorly  designed 
SSD  (i.e,,  relative  to  the  signal  noise)  could  cause 
the  selected  output  to  have  a worse  tolerance  varia- 
tion than  any  of  the  inputs. 


184 


4 


, Operational  Characteristics  of  the  SSD 

In  the  context  of  the  general  definition  of  the  signal 
selection  process  it  is  difficult,  if  not  impossible,  to  gen- 
eralize operating  characteristics  of  an  SSD.  We  do  know,  based 
on  our  experience  with  conventional  SSD's,  that  tv/o  character- 
istics are  paramount  in  the  evaluation  of  a signal  selection 
process: 

• Normal  dynamical  performance  including  threshold  and  tol- 
erance propagation  effects 

• Failure  effects  and  transients 
Normal  Performance 


An  SSD  output,  which  is  presumed  to  simulate  an  ideal 
input,  may  exhibit  dynamical  characteristics  which  are  not 
shared  by  any  of  the  input  signals. 

Threshold 


An  MV  SSD  with  an  even  number  of  inputs  vdll  exhibit  a 
threshold  due  to  bias  differences  between  the  inputs.  An  ex- 
ample of  this  effect  is  shown  in  Figure  IV-6.  In  many  appli- 
cations, the  threshold  will  result  in  a limit  cycle  oscillation. 
The  threshold  effect  can  be  reduced  or  eliminated  by  introducing 
equalization  (to  be  discussed  subsequently)  or  by  insuring  chat 
all  signal  inputs  are  the  same.  In  a digital  controller  the 
introduction  of  a sensor  SSD  can  insure  common  inputs  to  all 
downstream  SSD's.  However,  this  could  transfer  the  threshold 
problem  to  the  sensor  SS!'  The  solution  here  is  to  use  an 
SSD  V7hich  does  not  exhibit  the  threshold  problem,  e.g.,  a limited 
average  SSD. 

Tolerance  Propagation 

Under  nominal  conditions  the  inputs  to  an  SSD  will  differ 
from  each  other  and  from  their  mean  due  to  normal  tolerance 
differences.  As  a consequence  the  output  will  differ  from  its 
mean  by  an  amount  determined  by  the  process  algorithm  and  the 
input  differences.  This  variation  of  the  output  could  have  a 
degrading  effect  on  performance  on  a single  string  basis  and  on 
monitoring  if  the  SSD  output  is  used  as  a reference  signal  to 
be  compared  with  the  inputs.  An  excessive  increase  in  tolerance 
propagation  will  result  in  poor  failure  detection  and  a high 
rat 3 of  nuisance  alarms.  As  an  example  of  propagated  tolerance, 
let  us  compare  an  MV  SSD  with  a limited  average  SSD. 


185 


For  simplicity,  we  assume  three  inputs  u(t) , v(t),  w(t) , whose 
variations  about  a common  mean,  m(t) , are  independent,  random 
and  stationary  processes  with  the  same  statistics.  Because 
it  yields  a simple  solution  we  also  assume  that  the  processes 
are  Gaussian. 


Let 

or^t)  = E j (u-m)^l  = E | ( v-m)  ^ | = E j (w-m)^j 
= variance  of  each  input 
z(t)  » output  of  the  SSD 
E{  ) = expected  value. 

It  is  shown  in  the  Supplement  to  this  Appendix  that  in  an 


MV  SSD 

E(z)  = m and 


E 


(z-m)^  ' 


and  in  a 

Limited  Average  SSD 
E(z)  = m and 


2 

o « 


. 45  a 


I 


E 


( z-m)^ 


.33  a 


2 


Thus,  we  see  that  both  the  rw  and  LA  SSD's  outputs  result  in 
smaller  tolerance  variations  than  any  of  the  input  signals. 
Furthermore,  the  LA  SSD  is  somev/hat  better  in  this  respect  than 
the  MV  device.  However,  the  advantage  of  one  or  the  other  process 
depends  upon  the  nature  of  the  statistics  of  the  inputs.  In 
general,  distributions  v;hich  are  concentrated  about  the  mean 
tend  to  favor  limited  averaging  whereas  symmetrical  distribution 
which  are  concentrated  at  points  other  than  the  mean  tend  to 
favor  mid  value  selection. 


186 


Failure  Effects  and  Transients 


The  steady-state  and  transient  effects  of  failures  depend 
upon  aircraft  dynamics,  mode  of  operation,  type  of  signal 
selection  devices,  etc.  A detailed  discussion  of  the  effects 
of  failures  in  triplex  and  guadruplex  configurations  when  the 
signal  selection  device  is  a mid-value  type  has  been  presented 
in  Appendix  IV.  A summary  of  failure  transient  effects  of 
mv  and  limited  averaging  signal  selection  devices  is  given  in 
Table  IV-1.  The  table  was  taken  from  Reference  5. 


TABLE  IV-1 

PERF0RJ1ANCE  COMPARISON  OF  fllDVALUE 
VS  LIMITED  AVERAGING  SIGNAL  SELECTION  PROCESSES 


Failure  type 

Failure  effects 

MVLwith  perfect  equalization 

Limited  averaging 

Step 

No  failure  transient-easity  detected. 

Transient  equal  to  1/4,,  1/3,  or  1/2  of 
averaging  range-easy  to  detect. 

Slowover 

No  transient-signal  detected  when 
drift  exceeds  detection  level. 

Output  drifts  slowly  to  1/4,  1/3,  or  1/2 
of  averaging  range-detected  when  d'  ft 
exceeds  detection  level. 

Oscillatory 

No  oscillation  with  perfect  hard  vote- 
detectaolc  if  oscillation  level  is 
greater  than  detection  level  and  if  time 
delays  on  detection  do  not  block  detec- 
tion. 

Oscillation  equal  to  1/4,  1/3,,  or  1/2  of 
averaging  range.. 

Passive 

No  gam  change-very  hard  to  detect  with- 
piit  .noi-ial  provisions  unless 

circuit  activity  is  greater  than  failure 
detection  level. 

Gam  about  zero  drops  to  3/4,  2/3,  or  1 /2 
of  normal  value-very  hart)  to  detect  with- 
out special  detection  provisions  unless 
circuit  activity  is  greater  than  failure 
detection  level. 

High  gain 

Size  of  limit  cycle  will  depend  on  p'ccoc- 
ness  of  vote.  A perfect  hard  vote  will 
eliminate  limit  cycle.  Detection  may  or  may 
not  be  easy  depending  on  where  failuie 
occurs. 

A limit  cycle  is  guaranteed  and  size  or 
seventy  will  depend  on  the  averaging 
range-failure  condition  will  be  very 
evident,  but  determination  of  which  channel 
has  failed  may  or  may  not  be  easy 

187 


The  initial  configuration  is  quadruplex  and  it  is  assumed  that 
(a)  all  previous  failures  were  detected  and  removed,  (b)  failure 
detection  is  achieved  through  comparison-type  monitoring  and 
(c)  channel  differences  have  been  equalized. 

5,  Summary  of  Signal  Selection  Processes 

MV  SSD 

Provides  cross-strapping. 

May  not  require  rapid  recoonition  of  first  failure , 

Failure  transients  determined  by  normal  channel 
differences  at  time  of  failure. 

Potential  limit  cycle  oscillation  around  null  causes 
by  normal  channel  differences. 

Improves  tolerance  propagation  effects. 

LA  SSD 

Provides  cross-strapping. 

Requires  rapid  recognition  and  disqualification  of 
failures  in  order  to  reduce  failure  transient. 

Failure  transients  could  equal  1/4  (quad),  1/3  (triplex) 
or  1/2  (dual)  of  the  averaging  range. 

No  limit  cycle  due  to  channel  differences. 

Improves  tolerance  propagation  effects.  Somewhat 
superior  in  this  respect  than  the  MV  SSD. 

MUX  GATE  SSD 


Provides  cross-strapping. 

Requires  rapid  recognition  and  disqualification  of 
failure  in  order  to  reduce  failure  transients. 

Failure  transient  could  equal  maximum  signal  level. 

A latent  failure  followed  by  a detected  failure  could 
result  in  the  failed  channel  supplying  tt^ro  channels 
signals. 


Recommended  for  non-critical  functions  such  as  con- 
puters-to-displays , especially  with  serial  trans- 
mission. 

6.  Common  Mode  Failures 


One  of  the  potential  disadvantages  of  signal  selection  is 
the  susceptibility  of  the  resultant  system  to  common  mode 
failures.  In  a digital  computer  there  are  several  sources  of 
common  mode  failures  associated  with  the  signal  selection 
process : 

Signal  Select  Algorithm 

Tn  a digital  controller  the  complexity  of  a signal  select 
algorithm  may  b«  no  impediment  to  its  implementation.  However, 
an  excessively  complicated  algorithm  may  contain  a design 
defect  which,  under  normal  operating  conditions,  could  propa- 
gate a common,  but  false,  signal  to  all  channels. 

Communications  Path  Failure 


Because  signals  Jrom  all  channels  must  be  transmitted  to 
all  computers  a single  failure  of  a communications  path  could 
affect  all  computers.  Referring  to  Figure  V of  Appendix  V, 
it  can  be  seen  that  all  communications  paths  are  eventually 
gated  onto  the  I/O  or  DMA  busses  from  v;hich  they  can  be  gated 
to  almost  any  component  in  the  computer.  The  remedy  is  to 
isolate  all  external  paths  from  these  busses. 

Cross-SSD  Monitoring 

T^hen  an  SSD  is  used  to  provide  a reference  for  cross-SSD 
comparison  monitoring  it  is  possible  to  disengaae  all  channels 
due  to  a single  failure.  An  example  of  such  an  effect  is  given 
in  Reference  5 where  it  is  referred  to  as  "monitoring  avalanche". 
The  sequence  of  events  are  illustrated  in  Figure  VI-4,  which 
is  taken  from  Reference  5.  Referring  to  the  fioure,  channel  A 
incurs  excessive  drift  but  remains  v/ithin  the  detection  level. 
Channel  B subsequently  fails  in  the  direction  indicated  v;ith 
the  result  that  channels  D,  C and  A successively  indicate 
failures. 


189 


7.  Equalization 

Effects  of  Bias  Errors  in  Redundant  Flight  Control  Systems 

In  a redundant  control  system  and  under  normal  operating 
conditions,  certain  internal  variables  may  diverge  while  other 
variables  are  under  control.  This  phenomena  can  occur  even 
though  the  single  string  control  system  is  stable  and  other- 
wise satisfactory.  The  reason  is  that  each  channel  contains 
errors  which  are  not  the  same  in  all  channels  but  senses  the 
same  motion  and  commands  the  same  controller  as  all  of  the 
other  channels.  These  small  errors  excite  modes  which  are  not 
present  in  the  string  system  and  which  are  uncontrollable 

by  the  single  ooiilrol  surface.  As  an  illustration  of  this  effect 
consider  the  dual  redundant  system  of  Figure  VI- 5.  From  the 
figure  it  can  be  seen  that  there  does  not  exist  a control 
function,  x(t) , which  can  drive  the  state  variables  e^,  e2  from 
an  arbitrary  initial  condition  (e.g,,  e.{0)7<  62(0))  to  the 
origin  in  a finite  amount  of  time  even  if  the  offsets  are 
identically  zero.  VIhile  strict  controllability  of  e^  and  02 
is  not  a requirement  in  most  control  system'*  it  is  required  that 
e^  and  e2  remain  bounded  and  their  differt.ice  sufficiently 
small.  This  is  not  the  case  when  the  transfer  function,  G, 
is  unstable  or  neutrally  stable.  It  is  always  the  case  when  G 
is  stable.  ",he  situation  can  be  seen  more  clearly  in  Figure 
VI-6.  Here  tlie  single  string  system,  xG«e,  is  controllable 
(i.e.,  in  most  cases  of  interest)  but  the  variables  e^  and 
eo  are  net  strictly  controllable.  If  G is  unstable  or  neutrally 
stable  then  e^  or  02  v;ill  become  unbounded  for  arbitrary  off- 
sets. Since  most  flight  controllers  contain  at  least  one  in- 
tegration (e.g.,  for  trim,  heading  or  attitude  hold,  beam  error, 
etc.)  it  is  necessary  to  devise  some  technique  of  control  which 
will  maintain  internal  variables  within  prescribed  bounds  when 
the  control  system  is  made  redundant.  Wiere  are  three  obvious 
techniques  to  accomplish  this ; 

• Approximate  the  integrator  by  a lag. 

• Transmit  identical  control  signals  to  all  channels. 

• Equalize  channels  or  integrators. 

Lag  Replacement 

''Then  the  lag  can  be  selected  to  yield  satisfactory  per- 
formance, this  is  the  easiest  solution. 


Common  Signals  in  All  Channel? 


In  a digital  controller  it  is  possible  and  nracticable  to 
insure  that  ^e  inputs  to  the  inteorators  are  the  same  in  all 
channels.  Let  us  assume  that  the  sensors  are  cross-strapped 
so  that  each  computer  receives  signals  from  all  sensors.  If 
each  computer  performs  its  om  analog-to-digital  conversion, 
then  one  can  expect  that  all  converted  signals,  in  all  channels, 
will  be  different  due  to  small  bias  and  gain  errors  in  the 
converters.  If  the  signals  axre  inputted  under  DMA  control, 
then  one  can  even  expect  an  additional  difference  hetvreen 
converted  signals  if  the  DMA  controllers  are  non- synchronous . 
without  clock  synchronization  there  are  two  approaches  to 
Insuring  a common  signal  in  all  channels: 

• In  the  normal  sequences  of  operations  each  computer 
inputs  all  signals  from  a sensor  set  (assuming  that  we 
have  cross-strapping)  and  performs  a sianal  selection 
to  obtain  a reference  output.  It  can  oe  expected 
that  this  output  will  differ  from  similar  outputs  in 
other  channels.  At  a s\;Q5sequent  fixed  point  in  the 
program  each  computer  transmits  a code  to  the  other 
computers.  Upon  receipt  of  codes  from  all  computers 
each  computer  transmits  its  reference  signal  to  all 
other  computers  via  the  intercomputer  bus.  A limited 
averaging  selection  is  then  performed.  The  resultant 
reference  output  will  be  the  same  in  all  computers. 

It  should  be  noted  that  the  reference  signals  orior 
to  the  second  signal  selection  do  not  necessarily 
represent  the  sensed  signal  at  the  same  instant  of 
time  due  to  phasing  of  the  input  sampling  or  to 
differences  in  the  DMA  clocks. 

• A disadvantage  of  the  above  approach  is  the  additional 
real  time  required  to  transmit  all  selected  signals 

to  the  other  computers.  An  alternate  approach  is  to 
transmit  only  the  integrator  commands,  via  the  inter- 
computer bus,  and  then  use  a limited  average  SRD  to 
obtain  a common  input.  This  approach  Ls  shown  in 
Figure  VI- 8.  A similar  approach  is  shown  in  Figure 
VI-9  where  the  integrator  outputs  are  transmitted 
to  the  other  computers.  From  the  difference  equation 
for  each  of  these  approaches  we  observe  that  the 
technique  is  functionally  equivalent  to  averaging 
all  of  the  inputs  and  transmitting  the  common  average 
to  all  integrators. 


193 


Equalization 

Another  technique  which  maintains  the  internal  variables 
within  prescribed  bounds  is  "equalization".  In  this  approach 
individual  channel  differences,  or  their  equivalent,  are  fed 
back  to  all  channels.  This  is  a favorite  technique  in  analog 
systems  where  it  is  difficult  and  impracticable  to  achieve 
common  inputs  in  all  channels  due  to  differences  in  dedicated 
hardware  and  noise  pick-up.  Using  equalization  the  integration 
of  Figure  VI-7  can  be  stabilized  as  shewn  in  Figure  VI- 10,  The 
extension  of  the  same  technique  to  a quadruplex  configuration  is 
shown  in  Figure  VI- 11, 

Another  approach  to  equalization  is  to  utilize  the  difference 
between  the  output  of  the  servo  actuator  signal  selection  device 
and  each  channel  response  as  the  equalizing  feedback  to  that 
channel.  This  arrangement  is  shown  in  Figure  VI- 12.  The 
advantage  ©f  this  approach  is  that  only  one  signal  selection  is 
required  to  service  all  channels. 

Another  application  of  equalization  is  to  reduce  or  eliminate 
servo  command  differences  in  order  to  reduce  threshold  and  failure 
transients  when  the  SSD  is  an  MV  type,  A schematic  version 
of  this  approach  is  shown  in  Figure  VI-13,  Each  of  these 
"eaualizing"  configurations  will  now  be  discussed  in  detail. 

Referring  to  Figure  VI-10,  if  we  assume  that  the  channel 
differences  can  be  obtained  without  any  variation  in  gain  be- 
tween channels,  i,e,,  1 » a^  =»  a2  ®b^  = b2,  their  equalization 
does,  indeed,  eliminate  the  "drift  problem".  From  the  figure 
v;e  easily  compute 


195 


K 


INTEGRATOR  STABILIZ;‘TION  VIA  EOUALTZATION 
FOR  A DUAL  REDUNDANT  SYSTEM 

FIGURE  VI- 10 


196 


INTEGRATOP  STABILIZATION  VIA  EQUALIZATION 
FOR  A QUADRUPLEX  CONFIGURATION 
USING  SERVO  DIFFERENCES 

FIGURE  VI- 12 


198 


SERVO  EOUALIZATION  ’’iA  INTEGR.ATION 
FIGURE  VI- 13 


199 


K (»^KK^)Kd^  ^ KK^d^ 

‘ ■ 8(8+2KKg)  8(8+2KK^) 


- x+  1 

8 lK(dj+d2) 


K 

e_  = — X + 

2 8 


(8+KKj,)  Kd^ 
8(8+2KKg) 


8+2K  K_ 

Ej 

8(8+2KKg) 


8+2K  K„ 


Thus,  X » will  stabilize  the  divergence.  The 

resultant  steady-state  channel  difference  is 


e,  = 


. 


: 


In  practice,  however,  the  channel  oains  a , a_,  b^,  and  b^  are 
not  equal.  In  tlie  general  case  the  characteristic  equation  is 


8^(aj+b2)KKj,8fK^K^^ 


ai(b2-bi)+bjUj-a2) 


and  not 


8^  + 2K  Kgt 

as  in  the  previous  case.  Thus,  equalization  is  unstable  if 


0. 


200 


From  this  simple  example  we  see  that  equalization  can  introduce 
additional  stability  problems. 

Referring  to  Figure  VI- 12  (an  analogous  argument  applies  to 
Figure  VI-11),  let  us  assume,  first,  that  the  nominal  feedback 
gains  are  unity;  i.e,,  1 = = Kji.  We  assume,  through- 

out, that  the  SSD  is  an  ^7  type,  a necessary  condition  for 
drift  stabilization  requires  that 


x + dj -Kj,  (Xj-Xq)  =0 
X + dj  - Kg  ( Xj-Xfl)  =0 
X + dj  - Kg  (Xj-Xg)  = 0 


Assume,  without  loss  of  generality,  that 


d,  <d,  <dj  < d^. 


Then,  from  the  above  equalities  vre  must  have 


X.-X.  < X,-X.  < X, -X.  < x.-x* 

10  20  30  40 


and,  hence, 


Since  u’nci  device  is  a M^7  SSD  we  must  have 
Xq  = (asauming  >0)  or  0 


Case  1 


Xq  « 0,  Then 

X,  <x,  <0  <x,  <x. 
12  3 


201 


and 


Xj  = x+dj 

K„ 


*2  “ **■'2 


•S: 


Xj  - Xtdj 


X . = x+d. 

K„ 


and  the  common  input,  x,  can  have  any  value  such  that 
X + <0  <x  + dj. 


Observe  that  this  is  equivalent  to  a threshold  about  zero. 

Case  2 X.  = x_.  In  this  case 
0 2 


X = 


will  steU^ilize  the  drift.  The  channel  differences  are  given  by 


’‘3‘*2  ° ^ “ 


*4"‘2  = Vf2 

K_ 


T*- 


202 


observe  that  it  requires  a steady-state  value  of  x to  stabilize 
the  drifts. 

Referring,  again,  to  Figure  VI-12  the  equalization  could  become 
unstable  if  tJie  feedback  gains,  K^,  are  greater  than  unity. 

Such  a condition  could  occur  in  practice  due  to  tolerance 
variations  in  the  sensing  mechanism.  There  are  ti/o  approaches 
(at  least)  to  stabilizing  the  process: 

• Select  a nominal  value  of  less  than  unity  and  such 
that  expected  gain  variations  v)ill  not  cause  the  gain 
to  exceed  unity.  This  technique  can  alv;ays  be  applied 
v;hen  the  variables  Xj[  and  Xq  are  individually  accessi- 
ble, Relative  to  the  integrator  input,  x,  this 
approach  is  equivalent  to  replacement  of  the  inte- 
grator by  a lag, 

• Introduce  a deadzone  in  the  equalizing  path  as  shown 
in  Figure  VI-14,  The  deadzone,  c , is  selected  in 
such  a way  that  positive  feedback  is  precluded,  We 
nov;  determine  the  minimtim  value  of  e for  this  purpose. 
Consider  the  differences 

X.  - K.  Xq,  i = 1.  2,  3,  4. 

Let  us  suppose  that  Kq  is  the  largest  of  the  trains  K^,  K , K^, 

Kjj  and  Kq  > 1 , We  vary  the  difference  x^  -KqX  when  x- 

over  all  values  of  Xg,  The  variation  is  shown  in  Figure  VI-15, 
The  largest  positive  variation,  « , is  the  minimum  amplitude  of 
the  deadzone. 

Let  y^  = output  of  the  deadzone  in  the  i th  channel. 

We  want  to  shov-r  tliat 

y.  2 0 when  x,  > x_ 

' i i 0 

and  S 0 when  x.  < Xq. 


203 


07/yj£-je 


r 


equalization  with  deadzone 

FIGURE  VI- 14 


204 


This  v;ill  insure  that  no  positive  feedback  path  exists.  Assume 
that 


X.  >x_.  Then 
1 0 


X.  -K.,o  = (Xi-Xo> 


since  x^,  - > 0 and  ( 1 -K^)  x^  i . 


Tnus  y.  ao. 


Assume  that 


X.  <x_.  Then 
1 0 


X.  -KiXoMxj-x„)  t(l-Kj)  Xj,<< 


since  x.-x.  <0  and  ( 1-K.)  x Sc  . 
1 0 i'  0 ~ 


Thus,  $ 0 and  the  result  is  established.  This  method  of 
equalization  can  be  emnloyed  when  the  inteoration  is  c .’formed 
in  the  dioital  computer.  The  method  does  not  reouire  inter 
channel  communications  nor  does  it  reauire  common  inputs  to 
the  inteqrators . 

Servo  Equalization 

In  Figure  VI- 16  v/e  show  a typical  scheme  for  equalizing  the 
servos  v'hich  is  similar  to  the  equalization  of  a channel  inte- 
arator,  except  that  novr  an  integrator  is  introduced  for  the 
purpose  of  equalization.  In  the  figure  v;e  shon'/  t^«;o  equalizing 
configurations,  depending  upon  how  the  differences,  x^  -Xq, 
are  obtained.  In  some  mechanical  arrangements  the  difference 
can  be  measured  directly.  In  this  case  we  do  not  require  a 
deadzone  for  stability.  We  henceforth  assume  that  Xj  and  xg 


206 


T 


SERVO  EQUALIZATION  FOR  A QUADRUPLEX  CONFIGURATION 

FIGURE  VI- 16 


207 


are  ateasured  separately.  Ohe  sane  argument  regarding  stability 
applies  here:  if  the  gains,  K^,  are  greater  than  unity  (the 

number  of  ruch  gains  will  determine  the  stability  after  zero, 
one  or  tv;o  failures)  than  instability  can  result  due  to  positive 
feedback.  The  remedy  is  the  same  as  before:  introduce  a dead- 

zone*  in  the  feedback  path. 

T>7e  mention  two  problems  in  connection  with  integral  equal- 
ization of  the  servos: 

• The  integrators  will  tend  to  drift  due  to  internal 
offset  or  biases  in  the  sensors  or  A/D  converters 
if  the  integration  is  performed  in  the  digital 
computers.  The  solution  is  to  clamp  the  integrator 
in  any  channel  in  which  the  difference,  x^-Xq,  falls 
in  the  deadzone.  In  general,  the  remaining  channel 
differences  will  exceed  the  deadzone  in  order  to 
equalize  the  drifts  of  their  respective  integrators. 

• Because  of  the  infinite  memory  of  the  integrator, 
the  outputs,  XjL,  will  eventually  "walk"  away  from  the 
command,  x.  The  "walking"  problem  was  actually 
observed  in  a simulation  (Ref.  5) . If  the  command 
signal,  x,  contains  trim  then  "walking"  can  be  pre- 
vented by  occasionally  retrimming.  However,  this 
does  not  prevent  the  integrators  from  eventually 
overloading.  PurthermoiT®#  it  is  desirable  that  the 
integrators  hold  only  a small  percentage  of  the 

trim  signal;  otherwise, null  failures  of  an  integrator 
(after  several  failures)  could  result  ir  a non-passive 
state  of  the  airplane  following  loss  of  control. 


♦In  some  cases  the  equalization  is  limited  in  order  to  prevent 
equalization  of  slowover  failures.  This  could  inhibit  detection 
of  H/0  failures  if  they  occur  upstream  of  the  limiter. 


208 


One  solution  to  this  problem  (which  has  not  been  verified 
in  a simulation)  is  to  bleed  off  the  average  value  of  the 
integrators  on  a long-time  basis,  the  technigue  is  illustrated 
in  Figure  VI-17.  From  the  figtire  we  obtain  (ignoring  the  dead- 
zone)  : 


•fk 


e.  — 

1 s 


Thus,  y.  is  the  integral  of  e^^,  approximately,  and  the  averaae 
value  of  the  integrators,  z,  tends  to  zero,  as  desired. 

Another  approach  to  servo  equalization  is  to  use  a lag  in 
place  of„an  Integrator.  Referring  to  Figure  Vi-13,  we  replace 
K_/s  by  To  see  the  effects  of  lag  equalization,  we 

consider  two  cases: 

o 


Case  1 Xj  <x^  <0  x^  < x^ 


From  the  figure  we  obraln,  in  the  steady  state. 


X + d,  - K_  X,  s X, 

1 E i 1 


X + dj  - X3  = X3 

to 


* + '*4  ■ ^ *4  = *4 

ta 


209 


METHOD  FOR  PREV'ENTING  OVERLOADING 
OF  THE  EQUALIZING  INTEGRATORS 
IN  A QUADRUPLEX  SERVO  CONFIGURATION 

FIGURE  VI- 17 


210 


We  conclude,  therefore,  that 


1+K, 


< 0 < 


03 


x+dj 

03 


From  this  inequality  we  see  that  lag  equalization  does  not 
reduce  the  steady  state  threshold  (relative  to  x)  about  zero. 


Case  2 


0 < X,  < Xj  < Xj  < 


In  this  case  steady  state, 


X + dj-I^lXj-X^)  *x^ 
03 


X + d. 


= X 


X + d,  - K_  , . 

3 * X 

03 

o 

* + "*4- 

03 


We  conclude  that 


^4~^2 
Km 

1 + 


= x^-x^. 


03 


211 


Thus,  lag  equalization  reduces  the  offsets  between  servo  outputs, 
which  has  the  effect  of  reducing  failure  transients. 


Effects  of  Eaualization 


The  principal  advantages  of  equalization  are: 

• > Eliminates  integrator  drift  due  to  redundant  channels. 

• Reduces  the  steady-statfe  differences  between  servo 
outputs.  *Aiis  reduces  (a)  the  amplitude  of  limit 
cycle  oscillations  and  (b)  transients  due  to  failures. 

’ An  Interesting  .feature  of  intearal  equalization  is  the 

effect  it  has  on  second  failures  in  a triplex  or 
quadruplex  configuration.  As  an  example,  in  the 
"triplex  with  back-up"  configuration,  a serious 
objection  to  manual  selection  of  the  back-up  channel 
was  the  effect  of  two  undetected  hardover  failures 
of  the  triplex  system.  In  this  situation  the  out- 
put would  go  hardover  resulting  in  possible  damage 
to  the  airplane  before  the  pilot  engaged  the  back- 
I up.  With  integral  equalization  the  f^rst  hardover 

eventually  equalizes  (provided  that  the  failure  is 
in  the  command) , causing  that  servo  output  to  main- 
tain an  average  trim  position.  A subsequent  hardover, 
after  equalization,  will  cause  the  output  to  assume  ' 
the  good  value  or  zero, whichever  is  closest  to  the 
failed  signal.  Thus,  the  result  is  a passive  failure. 
This  effect  is  shoi^  in  Figure  Vl-18. 

► The  principal  disadvantage  of  equalization  is  that  it 

tends  to  mask  failures.  Thus,  if  in-flight  failure  detection 
I is  required,  then  equalization  must  be  limited  in  order  to 

I insure  that  failures  will  be  detected. 


{ 


212 


oA/o^r^^crsc 


c/A/cerecTSO 


EFFECTS  OF  INTEGRAL  EQUALIZATION 
ON  SECOND  FAILURE  TRANSIENT  IN  A TRIPLEX  CONFIGURATION 

WITH  AN  MV  SSD 
FIGURE  VI- 18 


2 


8 


Supplement  to  Appendix  VI ^ 


Let  u(t) , v(t) , w(t)  denote  independent,  random  and 
stationary  processes,  v/it!i  identical  statistics.  Let  f(x), 
F(x)  denote  their  probability  density  and  cumulative  distri- 
bution functions,  respectively,  at  any  instant  of  time.  Let 
in  denote  the  common  mean. 


Let  z(t)  denote  the  mid-value  of  u,  v,  w at  time  t.  Then 


z(t) 

z(t) 

z(tj 


u(t)  if 
v(t)  if 
w(t)  if 


( v s u s w) 
{ u s v < w) 
( u s w s v) 


or  ( w s u i v) 
or  ( w s V i u) 
or  ( V 5 w s u) 


Let 


(1) 


E denote  the  event  (v  i u s w) 
vuw 


(2)  E denote  the  event  (w  s u s v) 


(6)  E denote  the  event  (v  s w u) 
vwu 


(7)  denote  the  event  (\i  < x) 


E^  denote  the  event  (v  < x) 
E^  denote  the  event  (w  s x) 


Let  n denote  the  cumulative  distribution  function  of  z. 
z 

Then 


G(x)  = ~^(z5;x) 

z 

since  events  (1),  (2),  (6)  are  exhaustive  it  follows 


that 


P ( z x)  = 

P(E  .E+E  .E+...+  E .E+E  .E) 
vuw  u wuv  u uwv  w vwu  w 


214 


since  the  events  (1)»  (2),  111,  (6)  are  mutually  exclusive 
except  for  the  endpts 


P(zSx)=P(E  .E)+...+  P(E  .E) 
' ' vuw  u ' vwu  w' 


Because  of  symmetry  these  six  probabilities  are  equal. 

Therefore,  we  need  only  compute  one  of  them,  e.g,,  .E  ) . 

' . uvw  V 

Observe 

P(Euv^  • \)  = Sn  f(v)  £(w)  du  dv  dw 
R 

WIERE  P is  the  region  ( u s v s w)  and  v s x. 

As  an  iterated  integral  this  becomes 


+ ® 


^^\vw  * 

-ea  -®  V 

X « 

Observe  F(x)  = J f(u)du  = 1- J £(u)du 


+ « 

J £(w)dw  = 1-  F(v) 

V 


v 

where  f £(u)du  = F(v), 

-00 

X 

V " J'  «'')  F(v)  (l-F(v))  dv 

X X 

= J £(v)  F(v)  dv  -fl(v)  F^(y)  dv 

“®  -OD 


215 


I 


A simple  integration  (observing  that  d F(v) 


J*  F(v)  F(v)  dv  = I 


f(v)dv)  yields 


since  F{  » 0.  Also 


J f(v)  F (v)  dv  = — ^ I = 
-00  •» 


Therefore,  we  conclude  that 
^ G^(x)  = P(zSx)  = 6 ] 

The  probability  density  function  is 


Observe  that  if  f (x)  is  symmetrical  about  the  mean,  m ; 
i.e.,  f(m-x)  » f(m  + x)  then  g is  symmetrical  about  x » m. 
This  follows  from  the  identity* 

m-x  • m+  X 

I f(y)dy  = J*  £(y)dy  = 1 - J Hy)dy 

m+  X -«o 

i.e.,  F(m  - x)  * 1 - F(m  + x) . 

As  a consequence  of  this  sysmmetry  it  follows  that  the 
expected  value  of  z is  m;  i.e., 

E(z)  « m. 


216 


In  order  to  simplify  the  computations  it  will  be  henceforth 
assumed,  without  loss  of  generality,  that  the  expected  value 
is  zero;  i.e, , m = 0, 


In  the  following  section  the  variance  of  z will  be  computed 
assuming  that  the  initial  process  is  Gaussian;  i.e., 

2 


-X 


(10) 

(11) 


d \ ^ 2a 

o/zi  ' 


F(x)  = J £(y)dy, 


Successively  differentiatina  (10)  yields 


-X 


(12)  £'(x)  = - 


oVzj 


2a 


(13)  £»(x)  = 


5 

a /I? 


-X 


2a 


eVs? 


-X 


2a 


Observe  also  that 


217 


(14) 


F'(x)  = f(x),  F"(x)  = f'(x)  and  F" ' (x)  = f " (x) 
The  variance  of  z is 


(15) 


2 'y  go 

X F(x)  f(x)  dx  - 6 j F^(x)  f(x)  dx. 


•CD 


•CO 


Each  of  these  two  integrals  will  now  be  evaluated. 


Let 


J y?  F(x)  f(x)  dx. 


Observe  that 

x^f(v)  = ff»  (x)  +-i-  f(x) 

a 

= [F"»(x}  + -4-  F*(x)  la'* 

= a^  F»'»(x)  + a^  F'(x) 
which  follows  from  (13)  and  (14), 

Therefore 

= J a^  F'"  F dx  + J a^  F*  F dx 
Now  observe  that 

4-  (F"  F - V-  ) - F»»‘  F 
dx  2 


218 


and 


d 1 2 

3x  7 F = F'F.  Hence 


4 


111 

2 


2 2 
2 F , _ or 


,1.  = a*(F"  F - ^ ) + a^-V  1 - V 


since  F”  (»)  = F"  (-od)  = 0,  F{®)  = l,  F{ -e»)  = 0. 


To  evaluate 

4 CO 


2 2 

I = J X F (x)  £(x)  dx  observe,  again,  that 


f(x)  = F'"(x)  + a^F*(x) 


and  thus 


+ “ 4 2 ■’■*2 
= J a F“*  F dx  + J F» 


F dx  ■. 


Now  observe  that 


— (F"  F^)  ••  F'"  F^  + 2 F F’  F” 

Hj: 


= F’"  F^  + (F  F'^)  - (F») 

dx 


and  ~ F^)  = F»  F^  . Thus. 


219 


I = (F"  - F J (F*  “f“  1 

2 _ _ -«5 


= or^  J*  f^x)  dx  + •— 


Since  f(x)  = 


/Iff 


-X 


1 2a 


3x 

,3,  . . 1 ,3  ?.a^ 

‘ ^ o/2i  ^ * 


(ff/Zff ) /T 


/Zff 


Therefore 


= jzz 


h /T  ^ /7T 


2 a 

— r + ^ 


2 

~ • 


From  (15)  we  conclude,  finally  that 


a 

z 


2 


•> 


/T(2ff) 


220 


When  the  selection  is  based  on  the  average  of  the  inputs  then, 
obviously. 


u + r + w 


1 2 


where  ro  is  the  wean  value  of  , v and  w. 


221 


APPENDIX  VII 


SELF  TEST  CONSIDERATIONS 

In  the  flight  control  application  the  major  components 
whose  failures  must  h»e  detected  either  in-flight  or  in  pre- 
flight are: 

• Sensors 

• Digital  flight  control  computers 

• Actuators 

• Displays  and  controls 

• Monitoring,  testing  and  disengage  devices 

• Communications  paths 

• Redundant-system-associated  components 

(e.g.,  SSD's,  intercomputer  links,  etc.) 

As  demonstrated  previously,  undetected  failures  in  these 
components  can  result  in  a significant  reduction  in  mission 
reliability.  Failures  must  be  detected  with  a coverage  which 
is  consistent  with  the  reliability  goals  of  the  system.  It 
has  been  shown  that  failure  detection  requirements  are  a function 
of  the  redundant  configuration.  For  some  conventional  configur- 
ations, a FBV;  mission  reliability  goal  may  require  a preflight 
test  efficiency  of  99. 9X  if  periodic,  100X  testing  is  not 
employed.  Such  requirements  are  several  orders  of  magnitude 
beyond  what  is  demonstrably  achievable.  As  a consequence, 
we  may  conjecture  that: 

• Methods  of  failure  detection  will  have  to  be  exceed- 
ingly more  comprehensive  than  techniques  now  in  use 

• New  methods  of  validating  a failure  detection  pro- 
cedure will  be  required 

viith  respect  to  failure  detection  the  following  tasks 
should  be  an  integral  part  of  the  design  and  synthesis  of  a 
redundant  flight  control  system: 


222 


statement  of  Mission  Reliability  Goal 


An  explicit  goal  forces  the  designer  to  view  the 
contribution  of  each  component  in  the  perspective  of  the  whole 
system  and  leads  to  a practicable  and  fair  allocation  of  failure 
rates.  The  criterion  of  relative  mission  reliability  can  lead  to 
unnecessary,  inconsistent  and  costly  refinements. 

Allocation  of  Failure  Rates 


Failure  rates  should  be  allocated  to  all  system  com- 
ponents based  upon  (a)  what  is  necessary  and  (b)  what  is  achiev- 
able. 


Statement  of  Failure  Detection  Recpiirements 

The  objectives  of  in-flight  and  pre-flight  failure 
detection  should  be  stated.  In  particular,  the  extent  to  which 
in-flight  detection  contributes  to  the  attainment  of  the  mission 
reliability  goal  should  be  made  explicit.  In-flight  and  pre- 
flight failure  detection  efficiency  requirements  for  all  system 
components  should  be  explicit  and  should  consider  their  effect 
on  mission  reliability. 

In-Flight  and  Pre-Flight  Failure  Detection  Validation 

Having  determined  detection  efficiency  goals  and  tech- 
niques to  achieve  these  goals  it  is  then  necessary  to  develop  a 
procedure  which  is  capable  of  validating  the  claimed  efficiencies. 

In  summary,  we  may  state  that  the  three  development  phases 
of  a test  procedure  relative  to  the  flight  control  system  are: 

• Requirements 

• Achievement 

• Validation 


Thus  far  in  the  study  we  have  emphasized  failure 
detection  requirements,  tfhat  is  actually  achievable  cind  by  what 
means  has  not  been  discussed  at  all.  In  the  following  sections 
we  will  excunine  some  general  aspects  of  failure  detection  for  the 
purpose  of  exposing  some  of  the  difficulties  involved  in  achiev- 
ing near-perfect  coverage.  The  emphasis  of  the  discussion  is  on 
digital  devices,  exclusively. 


223 


1 


The  Sequential  Machine  Model 


We  take,  as  our  model  of  the  digital  device,  the 
sequential  machine.  The  following  brief  description  of  a sequen- 
tial machine  can  be  augmented  by  almost  any  reference  on  the 
subject,  and  in  particular,  by  References  (8),  (9),  and  (10). 

A sequential  machine  is  a device  which  accepts,  at 
discrete  instants  of  time,  an  input  and  simultaneously  issues  an 
output.  In  general  the  output  will  depend  upon  the  past  as  well 
as  the  present  input.  This  dependence  on  the  past  leads  natur- 
ally to  the  motion  of  "state”  which  embodies  the  past  history  of 
the  device. 


A lag  filter  whose  inputs  and  outputs  are  impulse 
modulated  is  an  example  of  a sequential  machine.  In  this  device 
the  inputs,  outputs,  and  states  are  infinite  in  number.  In  our 
application,  however,  the  inputs  and  outputs  will  be  binary  coded 
decimals  of  fixed  length  and,  thus,  are  finite.  Similarly,  the 
number  of  internal  state  variables  (usually  the  equivalent  of 
flip-flop  outputs)  will  be  finite.  A machine  with  a finite 
number  of  inputs,  outputs  and  states  is  called  a finite,  sequen- 
tial machine.  We  formalize  the  definition  as  follows: 


Let  X 


S 


Y 


^2 

set  of  inputs 

, $2 » • • • • 

set  of  internal  states 

Y2'  • • * *'^p} 
set  of  outputs. 


Then  a finite  sequential  machine  is  the  pair  of  func- 
tions f and  g such  that 


f(x‘,  s‘) 
g(x\  s‘) 


wherex  c X,  y < Y,  € Sand  the  superscript,  i,  denotes  the  ith 
instant  of  time.  When  S consists  of  a single  state  the  machine 
is  called  a combinatorial  machine. 


224 


In  general  the  inputs,  outputs  and  states  are  vector 
quantities  as,  for  example,  when  the  input  consists  of  the  binary 
bits  of  a binary  cod'  d decimal.  The  sequential  machine,  as  de- 
fined above,  provider  the  option  of  outputting  one  of  many  output 
symbols  from  a given  state,  depending  on  the  input.  This  type 
of  machine  is  referred  to  as  a "Mealy”  model  in.  contrast  to  a 
"Moore"  model  which  yields  an  output  as  a function  only  of  the 
state  and  not  the  input.  For  our  purposes,  however,  the  two 
models  can  be  shown  to  be  equivalent  (Ref.  (9),  page  29). 

The  functions  f and  g completely  define  the  sequential 
machine.  An  alternate  representation  is  by  means  of  (a)  a 
state  table  or  (b)  a state  diagram.  In  a state  table  the  row 
entries  are  the  present  states,  the  colxunn  entries,  the  present 
inputs.  Each  table  entry  consists  of  the  next  state  and  the 
output.  The  state  table  is  shown  in  Figure  VII- 1.  In  the  state 
diagram  each  state  is  represented  by  a circle.  Directed 
arrows  connecting  pairs  of  states  indicate  the  next  state. 

Above  each  arrow  is  noted  the  present  input  and  output.  The 
arrows  are  called  transition  paths  or  branches  (See  Figure 
VII-2) . 


A machine  with  n states,  m inputs,  and  p outputs  will 
be  called  an  (n,  m,  p)  machine. 

From  the  state  table  it  can  be  seen  that  there  are  nm 
entries.  Each  entry  can  consist  of  one  of  n states  and  one  of 
p outputs.  Hence,  there  are  (np)™"  possible  (n,  m,  p)  machines. 
However,  not  all  of  these  are  distinct.  For  any  machine  we  can 
obtain  n!  equivalent  machine  by  simply  permutting  and  relabeling 
the  states.  Thus,  we  conclude  that  there  are,  at  most,  (np)™” 
distinct  (n,  m,  p)  machines.  rH 

Examples  of  Sequential  Machines 

The  sequential  machine  is  a convenient  device  for 
representing  the  operation  of  a digital  circuit  and,  a fortiori, 
for  representing  the  effects  of  failures.  Before  proceeding 
further  we  give  the  rationale  for  the  present  discussion.  We 
are  given  a digital  circuit  which  is  represented  by  a certain 
(n,  m,  p)  sequential  machine,  provided  that  the  circuit  has  not 
failed.  If  the  circuit  fails  then  it  will  behave  like  some  other 
sequential  machine,  not  necessarily  an  (n,  m,  p)  machine.  It  is 
then  the  task  of  the  fault  diagnostician  to  determine  that  the 
failed  machine  does  not  behave  like  the  original  machine.  We 
place  one  restriction  on  the  observer:  He  cannot  directly  ob- 

serve the  internal  states;  his  diagnosis  must  be  obtained  by 
injecting  inputs  and  observing  the  corresponding  outputs.  It  is 
permissible  that  he  have  at  his  disposal  the  state  table  repre- 
sentations of  as  many  sequential  machines  as  are  necessary. 


225 


227 


PORTION  OF  STATE  DIAGRAM 
FIGURE  VII-2 


Example  1 RS  Flip-Flop 


"Reset"  changes  A=1  to  A«0 


States : 

Sj  = (A  = l,  A=0) 

= (A=0.  A = l) 

S3  ^ 1 For  Failure 

S,  (A=o.  A=o)  Conditions 

4 ' ‘ ^ J Only 

Outputs : 

= (1.0) 

= (0.1) 

Vj  = n.  1) 
y^=  (0. 0) 

Inputs : 


(R=0. 

s-o) 

(R-0. 

S=l) 

a 

(R=l. 

s=o) 

1 

5 

(R=l. 

For  Failure 

'‘4  = 

S=l)} 

Conditions 

} 

Only 

For  Failure 

Conditions 

Only 


RS  FLIP-FLOP 
FIGURE  VII-3 


% 


228 


It  is  emphasized  that  states  So  and  Sh, input  X4  and  outputs 
yo  and  do  not  occur  under  nominal,  non-zailed  conditions. 

They  should  be  included  in  the  state  table,  however,  for  fault- 
diagnosis  purposes  even  though  the  corresponding  "next  of  state" 
and  "output"  entries  are  left  blank.  Obviously,  it  is  always 
an  advantage  to  know  how  the  circuit  will  respond  under  failed 
conditions.  In  particular,  the  response  of  a flip-flop  to  the 
input  X4  should  always  be  specified.  The  state  table  and  state 
diagram  of  the  RS  flip-flop  are  shown  in  Table  VII-1  and  Figure 
VII-4,  respectively. 

Example  2 Serial  Binary  Adder 


States: 

S-|  * 0-carry 

S2  = 1 -carry 

Outputs : 

0 

II 

72  “ 1 

Inputs : 

X = (a,b),  a^O,  1,  b~0,  1 

a s addend  bit,  b = augend  bit 

Thus,  there  are  four  possible  inputs.  The  state  table  is 
shown  in  Table  VII-2  and  the  state  diagr2un  in  Figure  VII-5.  A 
logic  diagram  of  the  serial  adder  is  shown  in  Figure  VI 1-6. 

Example  3 Random  Access  Memory 

For  simplicity  we  assume  that  the  RAM  consists  of  2, 
1-bit  words. 


States:  S « (w1,  w2) 

w1  ■ word  #1  ■ 1 bit 
w2  > word  #2  « 1 bit 

Thus,  there  are  4 states. 

Outputs:  y^  ■ 0 

V2  - 1 

Inputs:  X ■ (ADDR,  RW,  1) 

ADDR  « 1-bit  address 
RW  « 0 if  read, 

« 1 if  write, 

I 1-bit  word,  to  be  stored. 
Thus,  there  are  8 Inputs. 


229 


23U 


STATE  TABLE  FOR  RS  FLIP-FLOP 
Table  VII- 1 


STATE  DIAGRAM  FOR  RS  FLIP-FLOP 
FIGURE  Vll-a 


232 


STATE  TABLE  FOR  SERIAL  BINARY  ADDER 
Table  VI I- 2 


STATE  DIAGRAM  FOR  SERIAL  BINARY  ADDER 
FIGURE  VII-5 


234 


LOGIC  DIAGRAM  OF  SERIAL  BINARY  ADDER 
FIGURE  VII-6 


A portion  of  the  state  diagreua  is  shotm  in  Figure  VII- 7 for 
the  state  (0,0). 

2,  Representation  of  Failures  (i.e..  Failure  Effects) 

We  start  with  a digital  circuit  %diich  realizes  a 
certain  sequential  machine^  M* . In  its  non-failed  condition  the 
circuit  is  a realization  of  a certain  (n,  p)  machine,  M. 
Because  of  the  possible  existence  of  failures  M*  may  or  may  not 
be  equivalent  to  M.  It  is  the  task  of  the  diagnostician  to  make 
this  determination.  Before  proceeding  further  it  is  necessary 
to  define  the  notion  of  "equivalence"  of  two  machines. 

Definition  1 


Machine  M'  is  equivalent  to  machine  M if  and  only  if 

• for  every  state,'  of  M'  and  every  input 
sequence  there  exists  a state,  Sj,  of  M 
such  that  the  input  sequence  with  M*  in 
state  S|  produces  the  scune  output  sequence 
as  the  input  sequence  beginning  with  M in 
state,  Sj,  and 

• for  every  state,  Sj,  of  M and  every  input 
sequence  there  exists  a state,  S>,  of  M* 
such  that  the  input  sequence  with  M in 
state  Sj  produces  the  seune  output  sequence 
as  the  input  sequence  beginning  with  M*  in 
state  S|. 

It  i s impossible  to  distinguish  between  equivalent 
machines  on  the  basis  of  inputs  and  outputs  alone.  We  note  that 
the  structure  of  equivalent  machines  may  be  quite  different.  We 
now  define  a failed  machine. 

Definition  2 


Machine  M'  is  a failed  replicate  of  machine  M if  and 
only  if  M*  is  not  equivalent  to  M. 

Thus  far  we  have  not  said  anything  regarding  the  struc- 
ture of  the  failed  machine.  To  this  end  we  make  the  following 
assumptions: 

• The  set  of  Inputs  does  not  change. 

• The  set  of  outputs  does  not  change. 

• The  number  of  states  does  not  increase. 


235 


The  first  t%io  assumptions  are  relatively  wezUc  and 
impose  minimum  constraints  on  the  failure  modes.  The  third 
assumption  is  necessary  in  order  to  circumscribe  the  problem. 

It  appears  to  be  reasonable  and,  in  any  case,  is  almost  always 
invoked  in  the  literature.  We  note,  in  reference  to  this  as- 
sumption, that,  given  an  inpur  sequence  of  any  finite  length 
there  is  a machine  M',  beginning  in  some  state,  which  will  yield 
the  same  output  as  H beginning  in  its  initial  state. 

In  summary  we  assume  that  a failed  replicate  of  an 
(n,  m,  p)  machine  is,  again,  a different  (ri,  m,  p)  machine. 

Failures 


The  following  circuit  failures  can  cause  a machine 

to  fail: 

• stuck-at-0 

e stuck-at-1 

e opens 

• shorts 

• bridging  (logic) 

• intermittent 


The  first  four  failures  could  result  in  a reduction 
in  states.  Bridging  could  result  in  either  an  increase  or  de- 
crease in  the  number  of  states.  Intermittent  failures  may  be 
caused  by  vibrations  or  noise  and  are  not  necessarily  reproduc- 
ible. 


a.  Test  Philosophies  ^ 

There  are  several  philosophies  regarding  testing 
of  digital  computers: 

• The  computer  is  designed  with  dedicated  additional 
hardware  for  the  express  purpose  of  detecting 
failures,  usually  through  redundance  and  compari- 
son-type monitorino^ 

• Error  detection  coding  of  internal  computer  vari- 
ables. These  variables  are  coded  in  such  a way 
that  a failure  or  failures  will  very  likely  cause 
a recognizable  change  in  the  code. 

i 


237 


( 


• Use  of  a software  program  to  self  test  all  acces- 
sible internal  devices.  Each  device  is  tested 
against  a stored  state  table  or  a portion  thereof. 

• Generate  and  output  internal  variables  for  com- 
parison with  similar  variables  in  an  identical 
computer  (comparison-monitoring) . 

I 

We  will  discuss  only  the  self  test  philosophy 
assuming,  as< we  do,  that  the  computer  was  not  designed  with 
built-in  failure  detection  capability. 

b.  Computational  Requirements  of  Self  Test 

In  this  section  we  will  obtain  estimates  for  the 
length  of  the  input  sequence  necessary  to  completely  test  an 
(n,  m,  p)  machine  subject  to  previously  stated  assumptions  re- 
garding the  effects  of  failures.  For  convenience,  we  restate 
these  assumptions: 

A failed  replicate  of  an  (n,  m,  p)  machine  is, 
again,  an  (n,  m,  p)  machine. 

For  purposes  of  obtaining  estinlates  we  make  the 
additional  assumption  that  for  each  (n,  m,  p)  machine,  M',  there 
is  a set  of  component  failui^s  which  will  transform  the  original 
and  non-failed  machine,  M,  into  M*. 

It  is  undoubtedly  true  that  the  class  of  machines 
which  can  replicac^  a failed  machine  is  smaller  than  the  class 
of  all  (n,  m,  p)  machines.  However,  since  we  do  not  have  suffi- 
cient information  at  the  present  time  to  significantly  limit  this 
class  we  proceed  on  our  assumption,  which,  in  any  case,  presents 
the  greater  difficulties  to  the  diagnostician. 

We  now  obtain  a lower  bound  on  the  length  of  an 
input  sequence  required  to  test  an  (n,  m,  p)  machine.  The 
example  is  essentially  due  to  Moore,  (Ref.  8).  Consider  a com- 
bination lock  with  combination  a^,  a2<  • • where  each 

digit,  ai,  could  have  assumed  one  of  m values.  Such  a lock  can 
be  represented  by  an  (n,  m,  2)  machine  as  shown  in  Figure  VII-9. 
The  combination  lock  opens  when  the  output  equals  unity  and  this 
can  occur,  starting  in  state  S-|,  if  and  only  if  the  input  se- 
quence is  a^,  a^ ^n-1*  obvious  that,  in  order  to 

test  the  lock,  it  is  necessary  to  try  all  of  the  TOSsible  combin- 
ations and  that  the  number  of  combinations  is  m”"i . An  addition- 
al example  is  given  in  the  Supplement  to  this  Appendix. 


238 


In  order  to  appreciate  the  magnitude  of  this 
estimate  consider  a typical  64-bit  RAM,  which  is  organized  as 
16,  4-bit  words.  The  input  is  a 9-bit  binary  word,  4 bits  of 
which  designate  the  input  word,  4 bits  the  address,  and  one  bit 
to  read  or  write.  The  output  is  a 4-bit  word.  Thus,  the  RAM 
can  be  represented  by  a sequential  machine  with 

n = 2®**  states 

m = 2®  inputs 

p *5  2**  outputs 

The  estimate  of  m*'**^  is  to  be  used  when  no  advant- 
age is  taken  of  the  unique  structure  of  the  device  being  tested. 
Thus,  if  the  self  test  is  designed  for  a particular  device  it 
may  be  possible  to  do  considerably  better  than  m*^“l , For  the 
64-bit  RAM  we  obtain 

„„-1  . . ,1.Ux267  ,„3x1019 

as  the  minimum  length  of  the  input  sequence  required  to  test  the 
device. 


From  this  simple  ex2unple  we  may  conclude  that  an 
efficient  and  practicable  self  test  must  be  designed  to  take 
advantage  of  the  unique  structure  of  each  device  being  tested. 

With  regard  to  an  upper  bound  on  the  length  of 
input  sequence  required  (in  view  of  the  lower  bound,  the  upper 
bound  is  of  ac<_iemic  interest,  only)  Moore  (Ref.  8)  gives  the 
estimate 


j^mn+2pni 

nl 


for  an  (n,m,p)  machine. 

We  note,  in  passing,  that  there  is  considerable 
literature  available  in  the  area  of  fault-diagnosis  of  digital 
devices.  A significant  portion  of  this  effort  is  directed 
towards  developing  specialized  input  sequences  designed  to  detect 
failures  of  specific  combinatorial  and  sequential  circuits.  We 
have  not  seen  any  published  data  regarding  the  efficiency  of  such 
algorithms  when  applied  to  MSI  or  LSI  circuits  of  a typical  mini- 
computer. 


239 


c.  Conclusions  Regarding  Self  Test 


(1)  A Sequential  machine  provides  a good  model  for 
representing  failed  digital  devices. 

(2)  A self  test  procedure,  if  it  is  to  be  efficient 
and  practicable,  must  take  advantage  of  the  unique  structure  of 
the  device  being  tested. 

(3)  Data  must  be  obtained  regarding 

(a)  the  failure  modes  of  typical  digital  circuits 
which  comprise  the  flight  control  computer 

(b)  the  probabilities  of  occurrence  of  the  failure 
modes  of  these  circuits. 

(4)  Validation  procedures  must  be  devised  to  validate 
a self  test  algorithm. 

In  the  absence  of  comprehensive  failure  data  we  cannot,  at  the 
present  time, 

• Define  the  general  requirements  of  a self  test 
procedure  in  terms  of  minimum  length  of  input 
sequence,  real  time  or  memory  requirements; 

• Estimate,  with  any  precision,  the  efficiency  of 
a self  test  algorithm  when  that  efficiency 
approaches  100X; 

3,  Breadboard  Hardware  Validation  of  a Self-Test  Program 

In  the  preceding  section  it  was  shown  that  a digital, 
sequential  circuit  could  be  represented  by  a sequential  machine- 
The  sequential  machine  representation  leads  to  the  conclusion 
that,  if  no  advantage  were  taken  of  the  unique  structure  of  the 
device,  then  the  number  of  inputs  required  to  completely  test  the 
device  was  so  large  as  to  render  the  test  impractical.  As  a 
consequence,  we  must  settle  for  something  less  than  a complete 
test.  We  cite  several  factors  which  give  cause  for  optimism: 

• The  flight  control  computer  consists  of  many 
types  of  combinatorial  and  sequential  circuits 
whose  inputs  and  outputs  are  directly  accessi- 
ble for  fault-diagnosis.*  Most  of  these  devices 
are  relatively  easy  to  diagnose  by  self  test 
algorithms. 

*A  complete  tabulation  of  microcircuits  for  the  Central  Processor 
of  the  Bendix  BDX  Digital  Computer  is  presented  in  Table  VII-3. 


240 


• Failure  rates  of  hard-to-test  failures  of  a 
digital  device  may  be  acceptably  small. 

• Failure  rates  of  hard-to-test  devices  may  be 
acceptably  small. 

We  know,  for  exeunple,  that  the  most  commonly  encountered  failures 
are 


• Stuck-at  input  or  output  bits. 

• Stuck-at  internal  variables  which  prevent  trans- 
itions to  certain  states  (e.g.,  a stuck-at  bit 
of  a storage  register) . 

A complete  test  for  these  failures  can  be  achieved  by 
forcing  each  of  the  variables  to  a "1"  or  "0"  state.  Failures 
of  this  kind  occur  much  more  frequently  than  all  other  failures 
combined.  As  a consequence,  it  may  be  said  that  their  detection 
is  the  primary  objective  of  almost  all  self  test  algorithms. 

a.  Self  Test  Program 

In  the  next  section,  we  will  describe  a bread- 
board set-up  which  was  designed  expressly  for  this  study  for  the 
purpose  of  validating  a self  test  program  such  as  might  be  used 
in  an  airborne  flight  control  computer.  Because  of  the  similar- 
ity of  parts  and  structure  of  most  single  address  mini-computers, 
the  results  of  the  study  are  applicable  to  a wide  class  of  com- 
puters. 


Because  of  its  availability  and  also  because  it 
has  given  good  service,  it  was  decided  to  use  a software  program* 
which  is  used  to  test  all  of  the  BOX  model  computers.  A detailed 
description  of  the  program  is  contained  in  Supplement  B.  Briefly, 
the  program  tests  all  computer  busses  (except  the  I/O,  DMA 
busses),  instructions,  all  16  registers  of  the  scratch  pad  memory 
(RAMS) , that  portion  of  the  main  memory  containing  the  self  test 
program,  that  portion  of  the  progrem.  counter  which  is  necessary 
to  address  the  memory  locations  containing  the  self  test  program, 
arithmetic  operator  and  the  "Q*  register.  The  portion  of  the 
computer  which  is  tested  is  cross-hatched  in  Figure  VII-8.  We 
emphasize  that  this  particular  program  is  not  designed  to  detect 
failures  of  the  I/O  and  associated  devices  such  as  converters, 
multiplexers,  I/O  timing  strobes,  etc.  The  self  test  program 
requires  1,128  memory  words  and  requires  8,600  memory  cycle 
times  to  make  one  complete  pass.  At  the  rate  of  one  microsecond 


♦The  program  was  devired  by  Mr.  T.  Weilbacher  of  Bendix.  i 


/ 


241 


Table  Vll-3 

Microcircuits  of  the  Bendix  PDX  900  Digital  Computer 


» 


■ 

HH 

QUANTITY 

CLASSIF- 

ARITH. 

CONTROL 

TOTAL 

■ 

■BSH 

DESCRIPTION 

ICATION 

UNIT 

UNIT 

QTY., 

1 

LM111D 

VOLTAGE  COMPARATOR 

ANALOG 

1 

2 

936 

DTL  HEX  INVERTER 

SSI 

1 

3 

949 

DTL  QUAD  GATE 

SSI 

4 

4 

:H1032-1D 

MOS  ROM  CLOCK  DRIVER 

HYBRID 

2 

5 

3111 

ROM  (MOS) 

LSI 

1 

6 

3112 

1 

7 

3113 

1 

8 

3114 

1 

9 

3115 

1 

10 

4009 

BUFFER,  (MOS) 

SSI 

9 

11 

4609 

ADDER/MULTIPLEXER 
DUAL  FF/MULTIPLEXERS  f 

MSI 

8 

12 

4611 

MSI 

8 

13 

14 

5400 

TTL  QUAD  GATE 

SSI 

3 

5 

15 

5402 

TTL  QUAD  GATE 

2 

2 

16 

5403 

TTL  QUAD  GATE 

4 

17 

5404 

TTL  HEX  INVERTER 

4 

18 

5405 

TTL  HEX  INVERTER 

2 

19 

5410 

TTL  TRIPLE  GATE 

1 

20 

5437 

TTL  QUAD  GATE/BUFFER 

2 

21 

5473 

TTL  DUAL  JK  FF 

2 

22 

5474 

TTL  DUAL  D FF 

A 

A 

3 

23 

5475 

TTL  QUAD  LATCH 

1 

2 

24 

25 

26 

5486 

TTL  QUAD  GATE 

1 

1 

9309 

TTL  DUAL  MULTIPLEXER 

MSI 

4 

3 

27 

3312 

TTL  MULTIPLEXER 

MSI 

2 

28 

9316 

TTL  4-BIT  COUNTER 

MSI 

4 

1 

29 

30 

8250 

TTL  BINARY/OCTAL  CONV. 

MSI 

1 

31 

8266 

TTL  QUAD  MULTIPLEXER 

MSI 

2 

32 

33 

34 

8270 

TTL  4-BIT  SHIFT  REG. 

MSI 

1 

31013 

64-BIT  RAM 

LSI 

4 



57 

43 

242 


243 


per  cycle  time,  a complete  pass  requires  8.6  milliseconds.  If 
a fault  is  not  detected  the  program  halts  with  the  program 
counter  equal  to  (251 any  other  result  indicates  that  a fault 
was  detected.  If  a fault  is  detected  and  if  it  can  exercise 
sufficient  control,  the  prograun  halts  with  the  program  counter 
equal  to  (151) g having  first  loaded  a code  into  one  of  the 
accumulators  which  identifies  the  area  of  the  failure. 

b.  The  Breadboard 


In  order  to  obtain  the  maximum  information  in  the 
shortest  time,  the  validation  was  confined  to  a restricted  class 
of  failures  which  included  grounded  input  and  output  modes  and 
when  it  was  non-destructive  and  an  inverter  was  accessible, 
simulated  shorts  to  the  supply  voltage.  The  eventual  extension 
of  the  procedure  to  include  the  entire  class  of  stuck-at  failures 
was  a paramount  consideration,  however,  and  it  was  understood 
that  the  present  effort  was  the  first  step  toward  achieving  this 
objective.  Altogether,  350  pins,  representing  the  entire  com- 
plement of  accessible  nodes,  were  "failed”.  After  each  failure 
was  injected  the  self  test  program  was  initiated  and  the  results 
tabulated.  In  the  following  paragraphs  a detailed  description 
of  the  procedure,  hardware,  and  results  is  given. 

The  test  was  conducted  by  grounding  all  input  and 
output  nodes,  one  at  a time.  However,  this  did  not  result  in  the 
grounding  of  each  individual  input  to  a device  since,  frequently, 
a single  node  fed  two  or  more  inputs  via  gating  circuitry.  As  a 
result,  the  grounding  of  certain  nodes  actually  resulted  in  the 
simultaneous  failing  of  some  inputs  to  a high  (if  the  interven- 
ing gate  was  an  inverter)  and  some  inputs  to  ground.  It  was  not 
considered  advisable  to  fail  all  nodes  to  a high  since  this  could 
have  caused  the  destruction  of  an  "upstream"  gate  if  a buffer  did 
not  intervene. 


It  appears  that,  with  the  proper  hardware,  this 
approach  can  be  extended  to  include  the  following  types  of  fail- 
ures: 


( 1 ) Input  and  Output  Nodes 


(a) 

always 

high 

(b) 

always 

low 

244 


(2)  Input  Nodes 

(a)  opens  (shigh  in  TTL,  DTL) 

(b)  input  diode  (DTL)  short-circuit 

(c)  emitter-base  junction  (TTL)  short-circuit 

(3)  ConuQon  Package  Failures 

(a)  device  ground  lead  open 

(b)  device  Vcc  lead  open 

There  la  another  class  of  failures  which  are  ex- 
tremely difficult  to  simulate  and,  at  present,  no  method  has 
been  proposed  for  doing  so.  These  failures  are: 

(4)  Internal  Logic  Failures  of  Devices 

These  failures  result  in  a restructuring  of 
the  internal  state  and  transistion  branches.  As  a result,  the 
failure  will  not  be  seen  at  the  output  until  a certain  and  un- 
known combination  of  input  and  internal  state  occurs. 

Grounding  failures  are  easy  to  introduce  since 
TTL/DTL  outputs  may  be  grounded  safely  for  many  seconds.  There- 
fore, it  is  not  necessary  to  break  a conductor  path  to  simulate 
an  open  since  a ground  can  be  used,  instead.  Forcing  a node  to 
e high  can  be  a problem  because  of  its  destructive  effect,  as 
noted  previously.  Forced  highs  could  be  introduced  with  a 
sequence  generator  such  that  the  forcing  is  applied  no  longer 
than  necessary.  Forcing  for  30  or  40  milliseconds  should  not 
produce  undue  device  degradation  while  being,  at  the  same  time, 
of  adequate  duration  for  the  test. 

Since  both  of  the  above  methods  do  not  require 
physically  breaking  a wire,  no  special  preparation,  other  than 
the  generator,  is  necessary  other  than  providing  access  to  the 
circuit  boards. 


Further  testing  requires  opening  microcircuit 
leads  and  is  best  accomplished  on  a specimen  machine  constructed 
with  sockets  for  the  microciracits.  This  approach  permits  the 
simulation  of  failures  2a  (input  opens),  3a  (ground  leads  open) 
and  3b  (Vcc  leads  open) . 


245 


c. 


The  Test 


In  the  fail- to-ground  testing  routine  the  two  cpu 
cards  of  the  BDX-900  digital  computer  were  mounted  in  a test 
fixture  connected  to  a laboratory  core  memory  and  test  console. 

A paper  tape  reader  was  used  to  load  the  test  program,  A "DIP- 
CLIP"  test  point  adaptor  was  clipped  on  each  DIP  and  a "normally 
open"  push-button  switch  was  connected  to  ground  each  output 
(or  input)  to  the  ground  pin  of  that  device. 

The  test  procedure  was  as  follows: 

(1)  Manually  load  Bootstrap  Loader  program  into 
memory  using  the  manual  console. 

(2)  Load  self-test  program  from  punched  tape  into 

memory, 

(3)  Set  program  register  to  first  step  of  self-test 
program  and  initiate  computer  'RUN', 

(4)  Computer  must  halt  with  the  program  counter 
equal  to  251  indicating  self-test  was  executed  corr^^  .ly, 

(5)  Connec  push-button  to  pin  to  be  grounded  but 
do  not  press  button.  Repeat  steps  3 and  4,  checking  that  the 
push-button  has  not  disturbed  the  circuits. 

(6)  While  holding  the  push-button  depressed^  run  the 
self-test  program  (steps  3 and  4).  If  the  computer  halts  with 
251  in  the  program  counter,  the  fault  was  not  detected.  Any 
other  result,  including  no  halt  or  refusal  to  run,  indicates 
fault  detection, 

(7)  Release  push-button, 

(8)  Record  results, 

(9)  Repeat  steps  3 and  4,  If  a No-Go  results,  at 
least  a portion  of  the  self-test  program  in  memory  has  been 
altered.  Repeat  steps  2,  3,  and  4. 

(10)  If  step  2 will  not  run,  the  bootstrap  loader 
program  has  also  been  altered.  Repeat  steps  1,  2,  3,  and  4. 

(11)  Upon  receiving  a GO,  go  back  to  step  5 using 
next  point  to  be  tested. 


246 


The  self-test  program  used  was  designed  to  test 
all  macro  instructions  except  the  I/O  instructions  and  those  skip 
instructions  associated  with  external  signals.  All  micro  words 
within  the  micro  memory  are  executed  at  least  once  except  those 
associated  with  "power  on",  "test  set",  interrupt  and  the  above 
mentioned  macro  instructions. 

d.  Results 

Signals  100*  through  115*  constitute  the  data 
buss  to  the  console.  The  apparent  detection  of  failures  on  these 
points  is  related  to  console  functions  external  to  the  CPU.  This 
group  of  16  signals  should  not  be  considered  tested  within  the 
scope  of  this  self-test  program. 

Signals  P11,  Pi 2,  Pi 3,  and  PI 4 represent  higher 
order  program  counter  bits,  while  TC2  represents  the  ripple  carry 
from  P11  to  P12  (since  four  bit  counter/register  chips  are  used, 
only  every  fourth  carry  is  available).  These  five  signals  repre- 
sent those  signals  which  are  within  the  scope  of  the  present 
self-test  program  and  which  should  be  tested  but  are  not.  It 
would  be  a relatively  simple  matter  to  add  to  or  change  the  pro- 
gram to  pick  up  these  points,  but  for  present  purposes  they 
illustrate  the  point. 

The  score  card  then  reads: 


Control 

Unit 

Arithmetic 

Unit 

Total 

Total  Nodes  Tested 

193 

185 

378 

Interrupt  Nodes 

3 

1 

4 

Manual  Halt  Nodes 

3 

0 

3 

I/O  Nodes 

10 

16 

26 

Valid  Nodes  Tested 

177 

168 

345 

Nodes  not  detected 

0 

5 

5 

♦Efficiency  (Node  Ground 

Fault)  100X 

97. OX 

98.55X 

As  indicated,  the  upper  program  counter  bits  could 
be  checked  by  adding  to  or  modifying  the  self— test  program  to 
utilize  these  upper  addresses.  This  indicates  the  value  of  this 
program  testing  technique  in  developing  effective  self-test. 


sll  failures  are  equi-probable,  then  this  quantity  corres- 
ponds to  test  coverage. 


247 


e.  Suimnary  of  Test  Validation  Procedure 

• The  h2u:dware  validation  procedure  can  be  extended 
to  include  a large  class  of  frequently  encountered 
stuck*at  failures. 

• As  conducted,  the  validation  did  not  exercise  the 
full  potential  of  the  self-test  algor ith.  For 
instance,  the  self-test  checks  the  main  memory 

by  a memory  sum  test  and  "walks”  1's  through  0 
fields  and  O's  through  1 fields  in  the  scratch  pad. 

i 

• Internal  logic  failures  are  difficult  to  simulate. 
Work  is  being  done  in  this  area. 

• Failure  modes  of  common  digital  devices  should  be 
recorded,  as  they  occur,  in  order  to  maintain  a 
continuing  record.  Design  defects  should  be 
distinguished  from  actual  failures. 

• Probabilities  of  device  failures  should  be  esti- 
mated from  actual  field  data. 

• From  the  above  data  realistic  failure  modes  of 
digital  devices  can  be  estimated.  Failure  modes 
with  a high  probability  of  occurrence  should  be 
recognizable  by  the  self-test  algorithm. 


248 


SUPPLEMENT  A 


In  order  to  illustrate  the  problems  connected  with  the  fault 
diagnosis  of  a sequential  machine  we  consider  the  following  simple 
sample: 

The  original  and  non-f ailed  machine,  M,  is  sho%m  in  Figure  VII-9 
and  the  failed  copy,  M',  in  Figure  VII-10. 

The  fault  diagnostician  is  presented  with  machine,  M',  for 
diagnosis.  He  is  to  determine  that  M'  is  or  is  not  equivalent  to 
M by  introducing  a sequence  of  inputs  into  M*  and  observing  the 
outputs.  He  does  not  know  what  the  initial  state  of  M*  is. 
However,  he  can  assume  that 

a.  number  of  inputs  s 2 

b.  number  of  outputs  a 2 

c.  number  of  states  =2. 

It  would  appear  that  it  is  sufficient  to  test  each  branch  of 
M'  as  though  it  were  Identical  to  M.  The  following  sequence  will 
accomplish  this  purpose  if  M is  initially  in  state,  S^t 

x-|,  X2,  x^,  Xj 

If  the  sequence  is  repeated,  just  for  good  measure,  then  we 
would  observe  the  response 

xi,  X2»  x^,  X2»  x^,  X2»  x^,  X2 

Y1»  Y2»  Yl»  Vy  YV  Y2*  • 

We  suppose  that  the  failed  copy  is  initially  in  state,  S-j, 
when  subjected  to  the  above  sequence.  Then  we  would  observe,  as 
the  reader  can  verify  from  the  state  diagram: 

x^,  X2»  X.,,  X2»  x^,  X2»  x^,  X2 

q Yv  Y2»  Yi»  Y^»  Yi*  Y^»  Y^ 

The  response  is  the  same  as  would  have  been  obtained  from 
M! 

If  the  tester  had  been  lucky  he  would  have  tried  the  sequence 
X2r  X2.  The  response  of  M would  have  been: 


250 


E VII-10 


initial  state  *»  S^:  Xj»  X2 

Yl»  Yi 

initial  state  “ S2:  X2»  X2 

^2'  ^2 

£ut  the  response  of  M'  would  have  been: 


initial  state  ~ 


initial  state  - S^: 


*2»  *2 
Y2»  Yi 
X2»  X2 

yv  V2 


Thus,  for  machine  M*  an  input  sequence  of  length  2 would 
have  been  sufficient  to  distinguish  between  M*  and  M. 


251 


SUPPLEMENT  h 


SELF-TEST  PROGRAM  DESCRIPTION 


252 


INSTRUCTION  SET 


MNEMONIC 

INSTRUCTION 

ADD 

ADD 

SUB 

SUBTRACT 

CMP 

COMPARE 

LOAD 

LOAD 

STO 

STORE 

JU 

JUMP 

JSAj^ 

Jump  and  Mark  in  Aj^ 

JSM 

Jump  and  Hark  in  memory 

ADDR 

Add  registers 

lAR 

Immediate  add  to  register 

SUBR 

Subtract  registers 

CMPR 

Compare  registers 

MPY 

Multiply  registers 

DIV 

Divide  registers 

TRA 

Transfer 

IR 

Interchange  registers 

AND 

AND 

OR 

OR 

LCM 

Logical  complement 

ACM 

Arithmetic  complement 

CLA 

Clear  register 

CLA0 

Clear  register  and  overflew 

SLSL 

Shift  left  short  logical 

SRSL 

Shift  right  short  logical 

SLSA 

Shift  left  short  algebraic 

SRSA 

Shift  right  short  algebraic 

RLS 

Rotate  left  short 

SLLL 

Shift  left  long  logical 

SRLL 

Shift  right  long  logical 

SLIA 

Shift  left  long  algebraic 

SRLA 

Shift  right  long  algebraic 

RLL 

Rotate  left  long 

DECEQ 

Decrement  and  skip  if  zero 

DECNE 

Decrement  and  skip  if  not  zero 

SKGT 

Skip  if  >0 

SKLE 

Skip  if  < 0 

SKGE 

Skip  if  > 0 

SKLT 

Skip  if  < 0 

SKEQ 

Skip  if  = 0 

SKNE 

Skip  if  / 0 

SSOV 

Skip  if  overflow  set 

SROV 

Skip  if  overflow  reset 

SSIE 

Skip  if  interrupt  enable  set 

MNEMONIC 

INSTRUCTION 

SRIE 

Skip  if  interrupt  enable  reset 

SSP1 

Skip  if  flag  1 set 

SRF1 

Skip  if  flag  1 reset 

SSF2 

Skip  if  flag  2 set 

SRP2 

Skip  if  flag  2 reset 

STIR 

Skip  if  interrupt  request  time 

SFIR 

Skip  if  interrupt  request  false 

STEI 

Skip  if  external  1 true 

SFE1 

Skip  if  external  1 false 

STE2 

Skip  if  external  2 true 

SFE2 

Skip  if  external  2 false 

STE3 

Skip  if  external  3 true 

SFE3 

Skip  if  external  3 false 

SET 

Set  indicators 

RESET 

Reset  indicators 

FLIP 

Complement  indicators 

CONT 

Control  indicators 

NOP 

No  operation 

HALT 

Halt 

OD 

Output  data 

OSR 

Output  data  skip  if  ready 

ID 

Input  data 

ISR 

Input  data  skip  if  ready 

OC 

Output  control 

ISW 

Input  switch  register 

254 


1.0 


INTRODUCTION 


Ti^e  BDX900  self~test  consists  of  a self-test  program, 
to  be  loaded  into  the  BDX900  computer  memory  and  then 
executed. 

The  self-test  program  is  designed  to  test  all  macro 
instructions  except  the  I/O  instructions  and  those  skip 
instructions  associated  with  external  signals.  All 
micro  words  within  the  micro  memory  are  executed  at  least 
once  except  those  associated  with  'power  on',  'test  set', 
interrupt  and  the  above  mentioned  macro  instructions. 

2.0  DESCRIPTION 

The  self-test  program  consists  of  24  blocks  or  sections. 
Figure  VII-11  shows  a memory  map  of  the  program  and  the 
BDX900  assembler  print-out  shows  the  actual  program.  Each 
of  the  blocks  is  described  below: 

Block  1 - This  section  consists  of  temporary  storage 

locations  and  constants  used  by  the  self-test 
program. 

I 

Block  2 - This  section  contains  the  sequence  control 

instructions  that  direct  the  self-test  program 
through  the  various  test  sections  and  cause  the 
computer  to  halt  when  an  error  occurs. 

Block  3 - This  section  contains  the  memory  test.  The  test 
consists  of  forming  a running  sum  of  the  contents 
of  all  memory  locations  used  in  the  self-test 
program.  The  final  sum  is  compared  with  a stored 
constant. 

Block  4 - This  cection  contains  instructions  that  interro- 
gate iyit  14  of  the  test  set  switch  register.  If 

bit  14  = 1 the  indirect  level  test  is  entered.  If 

bit  14  = 0 the  indirect  level  test  is  by-passed. 

The  indirect  level  test  attempts  to  execute  all 
memory  reference  ins tn  ct ions  using  sixteen  levels 
of  indirect  addressing.  Correct  execution  of  each 
instruction  causes  the  computer  to  come  to  a halt 
with  the  indirect  light  in  the  'on'  state. 


255 


Address  Memory  Contents 
(octal) 


Address  Memory  Contents 

(octal) 


Temporary  Storage 

Test  #8 

000-141 

Contents 

1101-1167 

Memory  Block  1 

Memory  Block  13 

142-156 

Self -Test  Progratu 
Sequence  Control 

1170-1234 

Test  #9 

Instruct  Ions 

Memory  Block  2 

1' 

Memory  Block  14 

Memory  Test 

Test  #10 

157-171 

Memory  Block  3 

1235-1254 

Memory  Block  15 

Indirect  Test 

Test  #11 

172-244 

(optional) 
Memory  Block  4 

1255-1340 

Memory  Block  16 

Halt  or  Recycle 

Test  #12 

245-377 

(opt lonal) 
Memory  Block  5 

1341-1416 

Memory  Block  17 

400-447 

Test  #1 

1417-1514 

Test  #13 

Memory  Block  6 

Memory  Block  18 

Test  #2 

Test  #14A 

450-164 

Memory  Block  7 

1515-1552 

Memory  Block  19 

Test  #3 

Test  #14B 

565-630 

Memory  Block  8 

1553-1026 

Memory  Block  20 

Test  #4 

Test  #14C 

631-654 

Memory  Block  9 

1627-1663 

Memory  Block  21 

655-776 

Test  #5 

1664-1754 

Test  #15 
Memory  Block  22 

Memory  Block  10 

777-1023 

Test  #6 

1755-2074 

Test  #16 
Memory  Block  23 

Memory  Block  !.>' 

1024-110( 

Test  #7 

2075-2154 

Test  #17 
Memory  Block  24 

Memory  Block  12 

SELF-TEST  MEMORY  MAP 
FIGURE  VII-11 


256 


Block  5 - This  section  contains  instructions  that  interrogate 
bit  15  of  the  test  set  switch  register.  If  bit 
15  » 0 the  self-test  program  is  executed  once  and 
halted.  If  bit  15  « 1 the  self  test  program  is 
recycled  and  continuously  executed  until  the  switch 
is  thrown  to  the  zero  state. 

Block  6 (Test  1)  - This  section  is  called  Test  1 and  is 
the  first  section  entered  when  the  self  test 
program  starts  execution.  Those  instructions 
associated  with  error  detection  are  partially 
tested  until  it  is  determined  that  they  work 
sufficiently  well  for  that  purpose.  The 
instructions  partially  tested  are: 

• CMP  (BASE  ADDRESS),  OVERFLOW  NOT  TESTED 

• LOAD  (BASE  ADDRESS) 

• lAR,  OVERFLOW  NOT  TESTED 

• JASI  (BASE  ADDRESS) 

a)  The  "CMP"  instruction  is  partially  tested  by 
forming  values  in  accumulators  and  comparing 
them  against  stored  constants.  All  three 
conditions  are  tested  - greater  than,  equal  to, 
and  less  than.  The  overflow  condition  is  not 
tested  at  this  time.  Only  direct,  base  page 
addressing  is  tested. 

b)  The  "LOAD"  instruction  is  tested  by  loading  an 
accumulator  and  then  comparing  against  a stored 
constant.  Again  only  direct,  base  page 
addressing  is  used  at  this  time. 

c)  The  "lAR"  instruction  is  partially  tested  by 
incrementing  and  decrementing  an  accumulator 
and  comparing  the  result  in  each  case  against 
a stored  constant.  Testing  of  the  overflow 
condition  and  incrementing  and  decrementing 
by  larger  amounts  are  deferred  to  a later 
section. 


d)  The  "JSAl"  instruction  is  tested  in  conjunc- 
tion with  the  "CMP"  instruction  by  placing  the 
"JSAl"  instruction  in  the  proper  skip  location 
following  the  "CMP"  instruction.  If  the  com- 
pare was  executed  properly  a skip  will  be  made 
to  a "JSAl"  instruction  which  in  turn  causes  a 
jump  to  a location  where  an  "lAR"  instruction 
is  stored.  The  "lAR"  instruction  causes  the 
contents  of  an  accumulator  to  be  incremented 
thereby  building  up  a check-sum.  At  the  end 
of  test  1 , the  check-sum  is  compared  against  a 
stored  constant  to  determine  if  each  "JSAl" 
instruction  caused  a jump  to  its  proper  loca- 
tion. 

The  address  stored  in  accumulator  A1  by  the 
execution  of  a "JSAl"  instruction  is  also 
compared  against  a stored  constant. 

Only  direct,  base  page  addressing  is  used  at 
this  time  for  the  "JSAl"  instruction. 

Block  7 (Test  2)  - This  section  completely  tests  the 

control  and  skip  on  indicator  instructions.  In 
this  section  as  well  as  all  the  other  test 
sections,  no  instruction  is  executed  within  a 
section  unless  that  instruction  has  been  pre- 
viously tested  in  past  sections  or  unless  that 
instruction  is  presently  under  test.  The  instruc- 
tions tested  in  this  section  are: 

a)  CONT  f)  SSF1 

b)  SGOV  g)  SRF1 

c)  SROV  h)  SSF2 

d)  SSIE  i)  SRF2 

e)  SRIE 

The  control  and  skip  on  indicator  instructions 
are  tested  by  setting  the  overflow,  interrupt 
enable,  flag  1 and  flag  2 flip-flops  a..d  then 
attempting  to  skip  on  the  respective  flip-flops 
being  reset  as  well  as  being  set. 

The  above  is  repeated  after  the  flip-flops  have 
been  toggled  and  repeated  after  the  flip-flops 
have  been  reset. 


258 


Each  tine  a skip  is  made  an  accumulator  is 
incremented  thereby  developing  a check-sum 
which  is  compared  against  a stored  constant 
at  the  end  of  the  test  to  insure  that  all  skips 
are  made  to  the  correct  location. 

Block  8 (Test  3)  • The  complementing  instructions  LCM 
and  ACM  are  tested  in  this  section. 

The  "LCM"  and  "ACM"  instructions  are  tested  by 
complementing  a known  value  of  an  accumulator 
and  transferring  the  result  back  to  the  same 
accumulator  and  also  complementing  the  value  in 
one  accumulator  and  transferring  it  to  a second 
accumulator.  The  results  are  always  compared 
against  stored  constants. 

In  addition,  accumulators  AO,  A1,  A2  and  A3 
are  tested  in  the  process  because  each  bit  of 
these  accumulators  contains  a "1"  and  a "0" 
during  the  test. 

Block  9 (Test  4)-  The  lAR  Instruction  is  completely 
tested  in  this  section  including  arithmetic 
overflow.  An  accumulator  containing  a known 
value  is  incremented  and  decremented  using  "lAR" 
instructions  such  that  both  the  overflow  and 
no  overflow  condition  are  generated  while  in- 
crementing through  positive  values  and  also 
while  decrementing  through  negatxN^e  values. 

The  final  sum  is  compared  against  stored 
constants. 

Block  10  (Test  5)  - The  TRA,  ADDR,  and  SUBR  instructions 
are  tested  in  this  section  (including  arithmetic 
overflow) . The  accumulator  registers  A4  through 
A15  are  tested  by  placing  a "1"  and  ‘'O"  into 
every  bit  of  every  register.  This  is  accomplished 
by  using  the  "ADDR",  "TR.  " and  "LCM"  instructions. 
In  the  process,  the  "TRA"  instruction  is  tested. 

The  "ADDR"  and  "SUBR"  instructions  are  tested 
including  arithmetic  overflow  by  generating  pre- 
determined sums  and  differences  that  produce 
overflows  and  no  overflows.  Skips  are  then  made 
on  the  state  of  the  overflow  flip-flop.  The  sums 
and  differences  are  compared  against  stored  con- 
stants. 


i 


259 


< 


Block  11  (Test  6)  - The  ADD  (BASE  ADDRESS)  and  SUB  (BASE 
ADDRESS)  are  cested  (including  arithmetic  over- 
flow) in  this  section. 

Predetermined  sums  and  differences  are  generated 
that  produce  and  don't  produce  arithmetic  over- 
flows. Skips  are  then  made  on  the  state  of  the 
overflow  flip-flop.  The  sums  and  differences 
are  compared  against  stored  constants.  Only 
direct f base  addressing  mode  is  used  at  this  time. 

Block  12  (Test  7)  - The  CIIPR  instruction  is  completely 
tested  in  this  section.  The  CMP  (BASE  ADDRESS) 
is  further  tested  for  arithmetic  overflow. 

The  "CMPR"  instruction  is  tested  by  forming  pre- 
determined values  in  accumulators  and  comparing 
them  against  stored  constants.  All  three  condi- 
tions are  tested  - greater  than,  equal  to,  and 
less  than. 

The  overflow  condition  is  also  tested  for  both  the 
"CMPR"  and  "CMP"  instructions  by  generating  over- 
flows for  both  the  "CMPR"  and  "CMP"  and  skipping 
on  the  overflow  state. 

Only  direct,  base  addressing  mode  is  used  at  this 
time  for  the  "CMP"  instruction. 

Block  13  (Test  8)  - The  skip  on  accumulator  instructions 
and  the  decrement  and  skip  instructions  are 
completely  tested  here.  These  instructions  are: 

a)  SKGT  e)  SKEQ 

b)  SKLE  f)  SKNE 

c)  SKGE  g)  DECEQ 

d)  SKLT  h)  DECNE 

The  skip  on  accumulator  instructions  are  tested 
for  both  the  skip  condition  and  the  non-skip 
condition  by  loading  an  accumulator  with  a known 
value  and  attempting  to  skip  on  that  accumulator. 

If  a skip  is  made  on  a non-skip  condition  the 
self-test  program  is  halted.  If 'a  skip  is  made 
on  a skip  condition  the  first  instruction 
encountered  after  the  skip  instruction  is  an  "lAR" 
instruction  which  causes  an  accumulator  to  be 

i 


( 


260 


incremented  thereby  generating  a check-sum.  This 
check-sum  is  compared  against  a known  value  at  the 
end  of  the  test  to  determine  if  all  skips  were 
made  to  the  correct  location. 

The  "DECEO"  and  "DECNE*  instructions  are  also 
tested  in  the  same  manner  as  above  including  the 
generation  of  arithmetic  overflows. 

Block  14  (Test  9)  - The  logical  "AND"  and  "OR"  instructions 
are  tested  in  this  section. 

Both  instructions  are  executed  with  known  values 
in  accumulators  so  that  each  pair  of  bits  "anded" 
or  "ored"  together  will  successively  contain  one 
of  the  four  possible  binary  combinations. 

Block  15  (Test  10)  - The  register  interchange  instruction 
IR  is  tested  here  along  with  its  special  case  CLA. 

The  "IR"  instruction  is  tested  here  by  loading 
known  values  into  two  accumulators  and  inter- 
changing the  contents  of  those  accumulators.  The 
result  is  tested  and  the  accumulators  are  again 
interchanged  back  to  the  Initial  configuration 
where  result  is  again  tested. 

Block  16  (Test  11)  - The  short  shift  instructions  are 

tested  in  this  section  along  with  overflow  for 
algebraic  left  shift.  They  are: 

a)  SLLL  d)  SRLA 

b)  SRLL  e)  RLL 

c)  SLLA 

In  order  to  execute  every  micro  word  associated 
with  the  short  shifts  each  shift  instruction  must 
be  executed  at  least  three  times  - once  with  a 
shift  of  zero  bit  positions,  second  with  a shift 
of  one  bit  position  and  third  with  a shift  of  more 
than  one  bit  position. 

Various  bit  patterns  were  used  from  a "one"  in 
the  word  to  many  "one's".  After  each  shift  the 
result  was  added  into  a check-sum  and  the  final 
check  sum  was  compared  against  a stored  constant. 

The  overflow  condition  for  the  (SLSA)  instruction 
was  tested. 


261 


Block  17 


Block  18 


Blocks  19 


Block  22 


(Test  12)  - The  long  shift  instructions  are  tested 
in  this  section  along  with  overflow  for  the  alge- 
braic left  shift.  These  instructions  are; 

a)  SLLL  d)  SRLA 

b)  SRLL  e)  RLL 

C)  SLLA 

Testing  the  long  shifts  is  accomplished  in  the 
same  manner  as  the  short  shifts. 

(Test  13)  - The  multiply  instruction  MPY  is  tested 
in  this  section. 

In  order  to  test  the  (MPY)  instruction  eight 
different  multiply  instructions  were  programmed 
in  order  to  execute  every  micro  word  associated 
with  the  multiply  instruction.  After  each  multi- 
plication the  double  length  product  is  tested  by 
comparing  it  against  a stored  constant. 

, 20,  21  (Test  14A,  B,  C)  - The  divide  instruction 
is  tested  in  these  sections.  As  the  divide  test 
is  fairly  long  it  is  broken  into  three  sections  to 
provide  easier  entry  for  an  operator  executing  the 
self-test  on  a "single  instruction"  basis. 

Seventeen  divide  instructions  were  programmed  in 
order  to  execute  every  micro  word  associated  with 
the  divide  instruction.  Pour  of  these  divisions 
were  needed  to  test  the  divide  overflow  for  the 
possible  sign  configurations  of  the  operands. 

After  each  divide  instruction  was  executed  the 
resultant  quotient  and  remainder  were  either  used 
as  the  operands  for  another  divide  or  were  added 
into  a check-sum  which  was  periodically  compared 
against  a stored  constant. 

(Test  15)  - This  section  tests  all  forms  of 
direct  addressing  for  the  memory  reference  instruc- 
tions. The  instructions  tested  here  are: 


a) 

ADD 

d) 

CMP 

b) 

SUB 

e) 

JSAO 

c) 

LOAD 

f) 

JSAI 

Each  instruction  is  tested  for  the  four  forms  of 
addressing  base,  relative  to  Program  Counter, 
relative  to  accumulator  AO,  and  relative  to 
accumulator  A1 . 

A memory  constant  is  loaded  in  an  accumulator 
via  a load  instruction.  A second  memory  constant 
is  added  to  the  first  via  an  add  instruction 
followed  by  the  subtraction  of  a third  memory  con- 
stant via  a subtract  instruction.  The  result  is 
compared  against  a fourth  memory  constant  via  a 
compare  instruction.  The  above  is  repeated  for 
each  form  of  addressing. 

The  JSAO,  JSA1,  and  JU  instructions  are  tested  by 
programming  jumps  in  the  four  forms  of  addressing. 

Block  23  (Test  16)  - This  section  tests  all  forms  of 

indirect  addressing  for  the  instructions  listed 
above  in  Test  15. 

The  instructions  are  tested  as  in  the  previous 
lest  except  that  all  the  instructions  are 
executed  with  two  levels  of  indirect  addressing. 

Block  24  (Test  17)  - In  this  section  the  STO  and  JSM 
instructions  are  completely  tested.  This  is 
accomplished  by  successively  loading  and  storing 
several  stored  cons:ants  into  an  accumulator. 

These  constants  are  in  reality  instructions.  A 
jump  is  made  via  a JSM  instruction  to  the  first 
of  the  successively  stored  instructions.  The 
short  routine  is  executed  and  a jump  via  an 
indirect  JU  Instruction  is  made  back  to  the 
test  section.  The  four  forms  of  addressing  are 
tested  in  both  the  direct  and  indirect  mode. 

3.0  THEORY  OF  OPERATION 

In  this  section  a description  of  the  general  flow  of  the 
self-test  program  will  be  given.  Figure  VII-12  shows  a 
flow  diagram. 

Execution  of  the  self-test  progreun  begins  with  the  instruc- 
tion labeled  "START"  which  clears  a check  sum  location  to 
zero  before  entering  Test  1 . If  an  error  is  detected  during 
the  execution  of  the  early  portion  of  Test  1 before  it  is 


263 


determined  that  the  JSAl  instruction  is  %rorking  sufficiently 
well,  the  computer  will  be  halted  by  a HALT  instruction 
imbedded  within  Test  1.  If  an  error  occurs  after  it  has 
been  determined  that  the  JSAl  instruction  is  working  'uffi- 
ciently  well  then  a jump  to  the  sequence  control  instiuction 
labeled  PNTER  is  made.  At  this  point  the  computer  is  halted 
and  accumulator  Al  will  contain  the  address  of  the  instruc- 
tion from  which  the  jump  was  made. 

If  no  error  is  detected  when  the  end  of  Test  1 is  reached 
a jump  is  made  to  the  sequence  control  instruction  labeled 
PNTOK  where  a check  sum  is  updated  followed  by  a jump  to  the 
first  instruction  of  Test  2.  The  above  process  is  continued 
from  Test  2 through  Test  16.  If  an  error  is  detected  a jump 
is  made  to  PNTER  where  the  computer  is  halted  with  the  "jump 
out"  address  contained  in  Al . If  no  error  is  detected  by  the 

end  of  the  test  a jump  is  made  to  PNTOK  where  a check  sum  is 

updated  followed  by  a jump  to  the  next  test. 

Eventually,  a jump  is  made  to  Test  17  via  PNTOK.  Detected 
errors  are  treated  in  the  same  manner  as  in  previous  tests, 
r^owever,  if  no  error  is  detected  by  the  end  of  Test  17  a 
jump  is  made  to  instruction  labeled  PNTND  where  the  check 
sum  is  tested.  The  check  sum  (CKSUM)  is  simply  the  cumula- 
tive sum  of  each  address  of  the  locations  from  which  the 
jumps  were  made  to  PNTOK,  plus  +1 . If  the  check  sum  is  not 
correct  a jump  is  made  to  PNTER  with  Al  containing  the 

address  of  the  "jump  out"  location.  If  the  check  sum  is 

correct  a jump  is  made  to  the  memory  test. 

The  memory  test  f>^rms  a running  sum  of  the  contents  of 
all  memory  locations  from  oct:il  (0  0 1 1)  through  (2  15  4) 
and  compares  result  against  a known  value.  If  the  com- 
parison shows  the  sum  is  in  error  a jump  is  made  to  PNTER 
with  accumulator  A2  containing  the  "jump  out"  address. 

A correct  comparison  here  Indicates  that  the  memory  test 
and  the  self  test  has  passed. 

At  this  point  the  contents  of  the  test  set  (ccnsole) 
switch  register  is  interrogated.  If  bit  14  = 1 the 
indirect  level  test  is  executed.  If  bit  14  » 0 the 
indirect  level  test  is  passed. 

Finally,  the  contents  of  the  test  set  switch  register  bit 
15  is  interrogated.  If  bit  15  » 0 the  computer  is  halted. 

If  bit  15  » 1 the  self-test  program  is  repeated. 


i 


265 


APPENDIX  VIII 


MULTIPLEX  CO^tMUNIG' TIONS 


Flight  control  systems  and  most  particularly  redundant  systems 
generally  require  large  numbers  of  communications  paths  between 
the  flight  control  computer  and  the  several  subsystems  which 
interface  with  it.  Assuming  that  the  flight  control  computer 
is  a digital  computer  the  primary  communications  links  are: 

• Digital  computers  to  and  from  sensors 

• Digital  computers  to  and  from  digital  computers 

• Digital  computers  to  and  from  actuators 

• Digital  computers  to  and  from  control  and  display 

panels 

The  number  of  links  required  depends  upon  the  degree  of  cross- 
strapping required,  the  level  of  reo,  dancy  and  monitoring 
strategy. 

State-of-the-art  development  in  the  area  of  microminiaturization 
has  made  it  possible  to  consider  the  use  of  multipl^'x  communica- 
tions links  for  data  transfer.  T*^ith  this  technique  a single 
communications  path  can  be  shared  by  more  than  one  signal, 
thus  reducing  the  number  of  paths  and  the  corresponding  con- 
nectors in  the  digital  computer.  These  and  other  potential 
benefits  of  multiplexing  are  summarized  as  follows: 

• Reduction  in  wires  and  wire  weight. 

• Standardization  of  subsystem  interfaces. 

• System  flexibility  - modifications  can  be  imposed  on 
the  system  in  the  form  of  additional  sensors  or  dis- 
plays without  the  necessity  for  extensive  rewiring, 

• Reduction  in  connectors  and  pins  particularly  in  the 
digital  computer  T/0, 

• Potential  improvement  in  EMI  and  EMR  due  to  fewer 
wires  and  the  use  of  shielded,  twisted  pair  wires 
for  data  bussing. 


i 


266 


/ 


It  has  been  suggested  that  multiplexing  results  in  improved 
detection  of  failures  of  the  bus  and  improved  detection  and 
isolation  of  failure  of  interface  units.  These  benefits  appear 
to  be  specious  because  failure  rates  of  signal  paths  are  in'* 
significant  compared  with  failure  rates  of  the  subsystems. 
Moreover,  since  special  interface  vinits  were  introduced  to 
accommodate  multiplexing,  failure  detection  and  isolation  to 
these  units  can  hardly  be  considered  an  advantage.  Failures 
of  subsystems  will  remain  as  difficult  to  detect  and  isolate 
as  formerly. 

The  advantages  of  multiplexing  are  considerable  particularly 
the  reduction  in  wires,  standardization  of  interface  and 
system  flexibility.  It  may  reasonably  be  anticipated  that 
multiplexing  will  soon  become  a standard  feature  of  the  flight 
control  system.  At  the  present  time,  however,  the  cost  of 
multiplexing  may  tend  to  offset  some  of  these  benefits.  Of 
the  enumerated  benefits  none  appears  to  provide  an  improvement 
in  system  reliability.  If  anything,  a reduction  in  relia- 
bility can  be  expected  due  to  the  proliferation  of  interface 
units  which  are  required  to  accommodate  the  multiplex  system. 

In  order  to  achieve  standardization,  it  appears  that  each  sub- 
system (for  instance,  a single  sensor)  will  require  a dedicated 
A/D  and  D/A  converter,  a serial  transmitter  and  receiver  with 
transformer  coupling,  encoders,  decoders,  clock  oscillators, 
etc.  Since  these  units  will  replace  the  present  multiplexed 
computer  I/O  the  additional  cost  in  size,  weight  and  dollars 
could  be  prohibitive. 

In  the  following  sections  an  attempt  will  be  made  to  evaluate 
the  impact  of  multiplexing  on  redundancy  management.  Several 
multiplex  and  dedicated  communications  systems  will  be  selected 
for  a triplex  configuration  and  compared  with  respect  to  the 
following  parameters; 

• Bus  loading 

• Real  time  to  process  data 

• Weight  of  wires  and  interface  units 

• Reliability 

With  the  tradeoff  as  our  goal  we  proceed  to  define  the  pertinent 
characteristics  of  the  multiplex  system. 


i 


267 


( 


1 , Characteristics  of  the  Multiplex  System 


It  will  be  assumed  that  the  multiplex  system  is  a time 
division  multiplex  system  as  described  in  the  Proposed  Militairy 
Standard  for  Aircraft  Multiplex  Data  BuSf  revised  «^uly,  1^73. 

In  this  system  data  is  transferrec^  in  serial,  digital  pulse 
code  modulation  form.  The  data  code  is  Manchester  Bi->Phase 
Level  as  defined  in  MIL-STD>442.  From  the  standpoint  of  flight 
control  systems  redundancy  requirements,  the  following  speci- 
fications regarding  the  multiplex  system  are  pertinent; 

a.  The  communications  systems  consists  of  a set  of  sub- 
systems (e.g.,  sensors,  actuators,  digital  computers,  displays, 
controls)  which  may  communicate  with  each  other  or  with  the 
digital  computer  via  a multiplex  bus. 

b.  The  interface  between  each  subsystem  and  the  bus 
consists  of: 

• Multiplex  Terminal  Unit  (MTU) 

• Subsystem  Interface  Unit  (SSIU) 

• Additional  subsystem  electronics  to  interface 
with  the  SSIU 

The  purpose  of  the  MTU  is  to  interface  between  the  bus 
and  the  SSIU.  The  MTU  is  a common  element  in  all  subsystems 
and  consists  of  a transmitter,  receiver,  coupling  transformer, 
clock  oscillator  and  associated  electronics.  The  MTU  detects 
signals  on  the  bus,  converts  from  Manchester  to  NRZ  and  per- 
forms a parity  check.  Similarly,  the  MTU  receives  NRZ  data 
from  the  SSIU,  encodes  the  data  to  Manchester  and  transmits 
over  the  bus. 

The  SSIU  is  application  dependent  and  may  differ  for 
each  subsystem.  For  purposes  of  this  study,  we  define  a stan- 
dard SSIU  which  may  interface  with  a sensor,  an  actuator  on  a 
digital  computer.  The  SSIU  receives  NRZ  data  from  the  MTU  and 
converts  it  to  a parallel  word.  The  appropriate  information 
is  extracted  and  transmitted  to  the  subsystem.  In  the  reverse 
direction  the  SSIU  receives  parallel  NRZ  data  from  the  sub- 
system, encodes  and  converts  it  to  serial  form  and  transfers 
it  to  the  MTU.  When  interfacing  with  a digital  computer  the 
SSIU  data  will  be  gated  onto  an  internal  computer  bus  to  be 
transferred  to  an  appropriate  accumulator  or  memory  location. 

In  the  reverse  direction  the  data  is  gated  from  the  internal 
computer  bus  to  the  SSIU.  When  the  SSIU  interfaces  with  a 


i 


268 


( 


sensor  it  will  operate  primarily  (exclusively  except  for  Bit) 
in  the  receiving  mode  to  accept  data  previously  converted  from 
analog  to  digital  form  in  the  subsystem.  Hie  necessary  elec- 
tronics, including  the  A/D  converter,  is  contained  in  the  sub- 
system. When  the  SSIU  interfaces  with  an  actuator  it  will 
operate  in  both  the  transmit  and  receive  modes.  Data  will  be 
transmitted  to  the  subsystem  for  D/A  conversion  and  received 
from  the  subsystem  having  been  previously  converted  from  analog 
to  digital  form. 

Figures  VIII-1,  VIII-2,  VIII-3  and  VIII-4  show  the 
functional  block  diagram  of  the  multiplex  system,  MTU,  SSIU  and 
the  subsystem  interface  electronics,  respectively. 

c.  The  bus  traffic  is  controlled  by  the  command/response 
rule  according  to  which  an  MTU  will  respond  only  v;hen  commanded 
to  by  the  bus  controller. 

d.  For  our  purposes  the  bus  controller  will  be  associated 
with  a digital  flight  control  computer  and  will,  if  necessary, 
utilize  applicable  portions  of  the  I/O  or  DMA  control  hardware 
as  v;ell  as  computer  software. 

e.  The  use  of  transformer  coupling  reduces  the  suscept- 
ibility to  hot  shorts  and  the  use  of  stubbing  prevents  loss  of 
the  main  bus  due  to  "opens"  at  or  near  the  terminal  units. 

The  bus,  however,  is  susceptible  to  extraneous  AC  signals 
which  may  be  injected  by  any  transmitter  on  the  line.  Accord- 
ingly, if  a single  transmitter  interfaces  with  every  redundant 
bus,  then  a single  failure  can  result  in  loss  of  the  entire 
communications  system.  While  this  event  may  not  be  very  probable 
(and  this  must  be  demonstrated  in  any  case)  if  detection  and 
disengage  capability  is  provided  in  each  subsystem  the 
possibil.  ‘'V,  however,  remote,  of  a single  failure  causing  loss 
of  the  ent  re  system  must  be  avoided  whenever  possible.  As 
a consequence,  the  multiplex  system  will  be  subject  to  the  - 
same  restrictions  regarding  common  failures  as  all  other  sub- 
systems. In  particular,  in  no  circumstances  will  a transmitter 
unit  have  access  to  more  than  one  bus. 

f.  Each  MTU  will  perform  a self  test  to  detect  any  signal 
transmission  from  itself  to  the  data  bus  which  has  not  been 
commanded  by  the  bus  controller.  Detected  failures  will  cause 
the  MTU  to  disengage  Itself  from  the  bus. 

g.  The  data  transmission  rate  of  the  bus  will  be  one 
megabit  per  second  (or,  equivalently,  one  bit  per  microsecond) . 


CO  A/ 7-/^0/.  C ^/e 


270 


FIGURE  VIII 


271 


FIGURE  VIII- 


h.  Data  will  be  transmitted  in  words:  either  a command 

word,  a data  word  or  a status  word.  Each  word  will  consist  of 
20  binary  bits.  The  respective  word  formats  are  shown  in  Figure 
VIII-5, 

i.  A message  from  the  bus  controller  to  an  MTU  will  con- 
sist of  a command  word  to  either  transmit  or  receive  data. 

If  the  command  is  to  receive  data  the  bus  controller  will  then 
transmit  the  data  words  as  specified  by  the  word  count.  Upon 
reception  of  the  last  data  word  the  MTU  will  transmit  a status 
word  back  to  the  controller.  If  the  command  is  to  transmit 
data  then  the  MTU  will  transmit  a status  word  to  the  bus 
controller  followed  by  the  data  stream  as  specified  by  the  word 
count.  In  flight  control  applications  the  bus  controller 
will  request  the  tr£msmisslon  of  a single  word  at  a time, 
the  exception  being  Intercomputer  transfers  or  actuator  feed- 
back variables.  As  a consequence,  and  according  to  the  MIL 
Standard,  three  serial  words  would  be  required  to  transmit  a 
single  data  word:  a command  word,  the  data  word  and  a status 

word.  Since  this  could  result  in  excessive  bus  loading  we 
take  the  liberty  of  eliminating  the  status  word  and  reserve 
the  unused  bits  of  the  16  bit  data  word  for  error  coding. 

This  is  justified  since  only  12  bits  can  be  practicably 
utilized  by  an  A/D  or  D/A  converter  at  the  present  time.  In 
all  subsequent  estimates  we  will  assume  that  two,  20  bit 
serial  words  are  required  to  transmit  one  data  word. 

2.  Ground  Rules  for  Trade-Off  Estimates 


In  addition  to  the  aforementioned  characteristics  of  the 
communications  system  we  postulate  the  following  ground  rules 
which  will  foxm  the  basis  for  the  estimates  to  follow: 

a.  DMA  All  digital  computer  input  and  output  variables 
are  accesseT’via  Direct  Memory  Access  (DMA).  If  the  DMA  is  a 
Cycle  Steal  then  it  requires  about  one  microsecond  of  real 
time  to  access  a single  data  word.  This  includes  both  the 
address  (contained  in  the  command)  and  the  data.  The  selection 
of  DMA  for  these  estimates  is  not  necessarily  a recommendation 
and  certainly  does  not  preclude  accessing  via  program  control. 
Under  program  control  data  would  be  requested  by  the  program 
in  the  flight  control  computer.  The  request  would  require  2 
and  possibly  4 microseconds  depending  upon  the  location  of 
the  address  field  in  the  computer.  It  would  then  require  at 
least  40  microseconds  for  the  data  to  be  returned  in  a form 
ready  for  access  (it  requires  one  microsecond  per  bit  on  a 
one  megabit  bus) , It  yiOMld  then  require  ^ne  or  possibly  2 
microseconds  to  transfer  the  data  to  a memory  location  on  DMA, 


274 


RD  P0R*1ATS 


or  to  an  accumulator  if  under  program  control,  ^'fhile  it  is 
possible,  in  principle,  to  perform  other  programmed  computa- 
tions in  the  interim,  it  is  usually  difficult  to  arrange  in 
practice.  Thus,  we  may  assume  that  it  requires  at  least  43 
microseconds  to  access  a single  data  v;ord  under  program  control. 

b.  Sampling  Rate  - The  inner  loop  sampling  rate  is  assumed 
to  be  50  per  second.  ?he  outer  loop  variables  are  sampled  at 

10  per  second. 

c.  DMA  Refresh  Rate  - The  DMA  refresh  rate  is  4 times 
the  sampling  rate;  i.e.,  1^00  samples  per  second  for  inner 

loop  variables  and  40  samples  per  second  for  outer  loop  variables 

d.  Equalization  - We  assume  that  actuator  equalization 
is  required  and,  hence,  that  all  actuators  of  the  same  axis 
require  different  commands. 

e.  Configuration  - VJe  assume  for  the  purpose  of  this 
trade-off  a triplex  configuration. 

f.  Display,  control  panel  and  bite  communications,  failure 
and  disengage  logic  are  not  included  in  the  trade-off. 

g.  Sensors  - We  assvune  15  sensors  sampled  at  50  per 
second  and  1^  sensors  sampled  at  10  per  second.  Thus,  the 
inner  loop  sensors  require  15x50x4x2»  6000  serial  words 
per  second  and  the  outer  loop  sensors  require  15x10x4x2= 
1200  serial  words  per  second.  The  total  number  of  serial 
words  required  to  process  sensor  information  is  7200  serial 
words . 

h.  Actuators  - We  assume  4 actuators,  each  actuator  re- 
quiring 3 words  of data  transmission;  i.e,,  a command,  follow- 
up and  equalization  data  word.  All  variables  are  sampled  at 
50  per  second.  If  a computer  supplies  an  alternate  command 

to  another  actuator  then  only  the  conanand  data  word  is  required, 
the  other  words  being  supplied  via  the  nominal,  command  computer 
data  bus.  Hence,  each  actuator  bus  requires  4x50x4x3x2= 
4800  serial  words  per  second  for  direct  commands  and  4 x 50  x 
4x2x2=3200  serial  words  per  second  for  alternate  com- 
mands to  the  other  channel  actuators. 


21 


i.  Intercomputer  > Intercomputer  communications  require 
15  data  words  at  5d  samples  per  second  to  each  computer.  V7e 
assume  that  the  seune  words  axe  transferred  to  both  computers. 
Hence,  intercomputer  transfer  requires  15x50x4x2-6000 
serial  words  per  second.  If  the  transfer  is  performed  under 
program  control  then  15  x 50  x 43  » 32,250  microseconds  of 
real  time  is  required. 

j.  Actuator  conmands  and  internal  actuator  variables 
are  transmitted  to  all  computers.  This  permits  all  computers 
to; 

e monitor  actuator  commands  directly, 

e supply  actuator  loop  closures  (if  necessary) 
for  all  computers,  and 

e supply  appropriate  and  possibly  different 
commands  to  all  computers  in  the  event  that 
the  nominal  command  computer  fails. 

k.  The  following  data  regarding  topology,  wire  weights 
and  reliability  of  the  interface  units  is  assximed; 

e Distance  between  digital  computers  is  negligibly 
small. 

e Distance  from  each  sensor  to  each  computer  = 

100  feet. 

e Distance  from  each  computer  to  each  actuator  = 

100  feet, 

• Sensor  to  computer  dedicated  wiring  **  24  gauge, 
insulated,  twisted  pair  =»  0,5  lbs,  per  100  feet, 

e Computer  to  actuator  dedicated  wiring  = 22  gauge, 
insulated,  twisted  pair  =0,8  lbs,  per  100 
feet, 

e Multiplexed  data  bus  wiring  = shielded,  twisted 
pair  = 1,5  lbs, /1 00  feet, 

• Each  MTU/SSIU  weighs  0,5  Ibs^x  exclusive  of  the 
A/D  and  D/A  converters  required  in  each  subsystem. 


♦Based  on  the  use  of  SSI  and  MSI  devices. 


277 


• A combined  A/D  and  0/A  converter  and  associated 
electronics  weighs  0,4  lbs,* 

• Stubbing  wiring  and  connector  weights  not 
included, 

• Failure  rate  of  each  MTU/SSIU  = 10  x 10“® 
failures  per  hour, 

• Failure  rate  of  an  A/D  converter  and  associated 
electronics  * 10  x 10“®  failures  per  hour. 

• Failure  rate  of  a D/A  converter  and  associated 
electronics  = 10  x 10“®  failures  per  hour. 

• From  i,  j and  h the  total  additional  failure 
rate  to  be  added  to  each  subsystem  is  30  x 10**° 
failures  per  hour. 

• Because  they  are  somewhat  equivalent  and,  hence, 
tend  to  cancel  each  other  out,  weight  and  re- 
liability of  signal  selection  devices  (gates)  and 
analog  voters  are  not  included. 

• Power  supply  requirements,  including  wiring, 
are  not  included  in  the  trade-off.  It  can  be 
expected  that  multiplex  and  dedicated  systems 
will  require  the  same  number  of  vrires  for  power 
supply.  Assuming 

(1)  That  the  flight  control  computers  will 
supply  power  to  all  subsystems  and 

(2)  power  is  transmitted  on  22  gauge  insulated 
pairs  of  wire  at  0.8  lbs. /1 00  ft. 

then  the  additional  weight  due  to  power  supply 
wiring  in  both  systems  is  81.6  lbs.  (90  sensors 
and  12  actuators). 


•Based  on  SSI,  MIT  devices. 


278 


3.  Trade-offs  of  Multiplex  Configurations 

Five  multiplex  and  three  dedicated  communications  systems 
for  a triplex  redundant  configuration  are  shewn  in  Figures 
VIil-6  through  VIII-14.  The  indicated  weights  only  include 
wiring f interface  units  and  A/D  and  D/A  converters. 


CONFIGURATION  I 


3-BUS  SYSTEM 

SENSOR/COMPUTER  CROSS  STRAPPING 
NO  COMPUTER/ACTUATOR  CROSS  STRAPPING 

7 00  (SENSORS) 

4,800  (ACTUATORS) 

^.000  (INTECOMPUTER) 

18,000  SERIAL  WORDS  PER  SECOND  PER  BUS 
18,000  X 20  = 360,000  BITS  PER  SECOND  PER  BUS 
18,000  X 3 X.5  = 27',6'00  MSEC  PROCESSING  TIME 
= 2.7X  REAL  TIME 
WEIGHT  « 106.5  LBS. 


CONFIGURATION  I A 

SAME  AS  I WITH  COMPUTER/ACTUATOR  CROSS  STRAPPING 

7,200 

8,000 

6,000 

21,200  SERIAL  WORDS  PER  SECOND  PER  BUS 
21,200  X 20  = 424,000  BITS  PER  SECOND  PER  BUS 

21,200  X 3 X.5  = "STi^OO  M SEC  PROCESSING  TIME 
= 3.15JJ  REAL  TIME 
WEIGHT  = 127.5  LBS. 


279 


3-BUS  SYSTEM  SENSOR/COMPUTER  CROSS  STRAPPING 
NO  COMPUTER/ACTUATOR  CROSS  STRAPPING 
CONFIGURATION  I 


FIGURE  VII 1-6 


280 


CONFIGURATION  II 


6 - BUS  SYSTEM 
SENSOR/COMPUTER  X STRAPPING 
NO  COMPUTER/ACTUATOP  X STRAPPING 
DEDICATED  INTERCOff.  UTER  BUS  SYSTEM 

7,200 

4,800 

12.000  SERIAL  WORDS  PER  SECOND  PER  SENSOR/ 
ACTUATOR  BUS 

240.000  BITS  PER  SECOND  PER  SENSOR/ACTUATOR  BUS 

6,000  SERIAL  WORDS  PER  SECOND  PER  INTER- 
COMPUTER BUS 

120.000  BITS  PER  SECOND  PER  INTERCOMPUTER  BUS 

27.000  MSEC  PROCESSING  TIME 
-2,1%  REAL  TIME 
WEIGHT  = 111.0  LBS. 


CONFIGURATION  IIA 


SAME  AS  II  WITH  COf^UTER/ACTUATOR  X STRAPPING 

15,200  SERIAL  WORDS  PER  SECOND  PER  SENSOR/ 
ACTUATOR  BUS 

304,000  BITS  PER  SECOND  PER  SENPOR/ACTUATOp  BUS 

6,000  SERIAL  WORDS  PER  SECOND  PER  INTER- 
COriPUTER  BUS 

31,500  M SEC  PROCESSING  TIME 
= 3.15J5  REAL  TIME 
WEIGHT  = 132.0  LBS. 


282 


CHmNNgL  *3 


6-BUS  Si’STEM  WITH  SEPARATE  INTERCOMPUTER  BUSSES 
AND  SENSOR  CROSS  STRAPPING 
CONFIGURATION  II 


FIGURE  VIII-8 


283 


CONFT duration  III 


6-BUS  system 

SENSOR/COMPUTER  X STRAPPING 
COMPUTER/ACTUATOR  X STRAPPING 

INTERCOMPUTER  BUSSES  SUPPLY  ALTERNATE  ACTUATOR 
COMMANDS 

7.200 
4,800 

12,000  SERIAL  WORDS  PER  SECOND  PER  SENSOR/ 
ACTUATOR  BUS 

2_40.f  000  BITS  PER  SECOND  PER  SENS  OR/ ACTUATOR  BUS 

9.200  SERIAL  WORDS  PER  SECOND  PER  INTER- 
COMPUTER BUS 

1 84,000  BITS  PER  SECOND  PER  INTERCOMPUTER  BUS 

31,500  SEC  PROCESSING  TIME 
= 3.15*  OF  REAL  TIME 
WEIGHT  = 132,0  LBS. 


284 


6-BUS  SYSTEM 

SENSOR/COMPUTER  X STRAPPING  VIA  COMPUTER/ACTUATOR  BUS 
NO  COMPUTER/ACTUATOR  X STRAPPING 


7,200 

144,000 


SERIAL  WORDS  PER  SECOND  PER  SENSOR  BUS 
BITS  PER  SECOND  PER  SENSCR  BUS 


7,200 

4,800 

6,000 

18,000 

360,000 


SERIAL  WORDS  PER  SECOND  PER  ACTUATOR  BUS 
BITS  PER  SECOND  PER  ACTUATOR  BUS 


7,200 

18,000 

25,200  X 3 X.5  = 37,800  MSEC  PROCESSING  TIME 
« 3. 78*  REAL  TIME 
WEIGHT  » 108.0  LBS. 


CONFIGURATION  IVA 

SAME  AS  IV  WITH  COMPUTER/ACTUATOR  X STRAPPING 

7,200  SERIAL  WORDS  PER  SECOND  PER  SENSOR  BUS 

144.000  BITS  PER  SECOND  PER  SENSOR  BUS 

21,000  SERIAL  WORDS  PER  SECOND  PER  ACTUATOR  BUS 

424.000  BITS  PER  SECOND  PER  ACTUATOR  BUS 
28,400  X 3 x.5  = 42,000  mSEC  PROCESSTNG  TI’IE 

« 4.2X  REAL  TIME 
WEIGHT  = 129.0  LBS. 


i 


286 


aira/s*K. 


* « 

’ i 


CM0f^n^i,  •t 


6-BUS  SYSTEM  WITH  SEPARATE  SENSOR/COMPUTER  BUSSES 

NO  CROSS  ISTRAPPZNG 
CONFlGURllTION  IV 

FIGURE  VIII-10 


287 


CONFIGURATION  V 


6-BUS  SYSTEM 

SENSOR/COMPUTER  X STRAPPING 
COMPUTER/ACTUATOR  X STPvAPPING 

7,200  SERIAL  WORDS  PER  SECOND  PER  SENSOR  BUS 
144,000  BITS  PER  SECOND  PER  SENSOR  BUS 


8,000 

6,000 

14,000 

230,000 


SERIAL  WORDS  PER  SECOND  PER  ACTUATOR  BUS 
BITS  PER  SECOND  PER  ACTUATOR  BUS 


21,200  X 3 X ,5  = 31,500  M SEC  PROCESSING  TIME 
= 3.15X  REAL  TIME 
WEIGHT  = 132.0  LBS. 


288 


6-BUS  SYSTEM  - SENSOR/COMPUTER  CROSS  STPAPPING 
COMPUTER/ACTUATOR  CROSS  STRAPPING 
CONFIGURATION  V 
FIGURE  VIII- 11 


289 


CONFIGURATION  VIII 


DEDICATED  SYSTEM 

SENSOR/COflPUTER  X STRAPPING  VIA  ANALOG  VOTERS 
COMPUTER/ACTUATOR  X STRAPPING  VIA  ANALOG  VOTERS 

WEIGHT  = 124.5  LBS. 


29.1 


CONFIGURATION  VIII 


DEDICATED  SYSTEM 

SENSOR/COMPUTER  X STRAPPING  VIA  ANALOG  VOTERS 
COMPUTER/ACTUATOR  X STRAPPING  VIA  ANALOG  VOTERS 

WEIGHT  = 124.5  LBS. 


I 


4 


i 


293 


DEDICATED  SYSTEM 

INPUT/OUTPUT  CROSS  STRAPPING  VIA  ANALOG  VOTERS 

CONFIGURATION  VIU 
FIGURE  VIII- 14 


294 


a 


Conclusions 


a.  Perhaps  the  most  important  inference  from  the  results 
is  that  the  multiplex  system  can  accomnodate  the  required  bus 
loading  as  indicated  by  Configuration  lA  where  the  bus  loading 
is  a maximum. 

b.  It  can  be  expected  that  provision  t^-r  intercomputer 
communications  will  be  a requirement  in  any  flight  control 
system  configuration.  The  quantity  of  data  to  be  transferred, 
however,  is  very  difficult  to  assess  without  a knowledge  of 
the  details  of  the  specific  configuration,  the  voting  and 
monitoring  strategy  employed,  etc.  As  a consequence,  of  the 
multiplex  arrangements.  Configuration  II  is  recommended  because 
it  permits  large  quantities  of  intercomputer  transfers  vrithout, 
in  any  way,  affecting  the  loading  of  the  main  busses. 

c.  The  main  busses  of  Configuration  II,  even  with  sensor/ 
computer  and  computer /actuator  cross  strapping,  requires  304  K 
bits /sec.  or  less  than  1/3  of  the  bus  capacity, 

d.  The  weight  trade-off  indicates  that  the  dedicated 
and  multiplex  configurations  are  approximately  equal.  This 
is  due  to  our  assumptions  regarding 

• number  of  sensors  and  actuators 

• the  use  of  dedicated  MTU/SSIl)  and  A/D, 

D/A  converters  for  each  subsystem 

• estimated  weights  of  0,5  lbs,  for  each  M':  0/ 

SSIU  and  0.4  lbs.  for  each  A/D,  D/A 
converter  combination. 

e.  Each  subsystem  of  the  multiplexing  configuration 
assun-s  an  additional  failure  rate  of  30  x 10”®  failures  per 
hour  due  to  the  interface  units.  This  could  represent  a con- 
siderable degradation  in  mission  reliability. 

f.  The  cost  of  the  multiplex  system  can  be  reduced 
considerably  if  subsystems  share  a common  MTU/SSIU  unit.  This 
would  result  in  an  Increa'i^e  in  wires  and  wire  weight  depend- 
ing upon  the  proximity  of  the  subsystems  to  the  interface 
unit.  Moreover,  when  several  subsystems  share  a common  inter- 
face there  is  always  the  problem  of  common  mode  failures. 


295 


g.  The  estimates  are  based  on  present  day  technology. 

It  can  be  expectfsd  that  the  reliability  of  wei^t  and  dollar 
cost  of  the  interface  units  will  improve  over  the  next  several 
years  to  the  point  wb^re  multiplexing  will  indeed  become  a 
feasible  alternative. 


{ 


296 


APPENDIX  IX 


COMMON  MODE  AND  SOFTWARE  SINGLE  POINT  FAILURES 


The  reliability  model  used  in  the  tradeoff  studies  was 
based  on  a number  of  assumptions  regarding  the  effects  of  fail- 
ures. Specifically,  it  was  assumed  that: 

• Two  undetected,  dissimilar  failures  in  different 
channels  of  either  a triplex  or  quadruplex  configura- 
tion would  render  the  system  non-operational. 

• Two  latent,  dissimilar  failures  in  different  channels 
of  either  a triplex  or  quadruplex  configuration  would 
render  the  system  non-operational. 

• A failure  in  any  channel  would  not  significantly 
reduce  test  coverage  for  that  channel  or  any  other 
channel . 

• A single,  undetected  failure  in  either  a triplex  or 
quadruplex  configuration  will  not  result  in  degraded 
performance. 

• Failure  in  one  channel  of  either  a triplex  or  quad- 
ruplex configuration  is  independent  of  failures  in 
any  other  channel. 

In  practice,  of  course,  on*^  or  more  of  these  assumptions  may  not 
be  valid  in  a given  situa*-ion.  For  exeunpl?),  a failure  in  one 
channel  frequently  reduces  :he  ability  of  the  test  to  detect 
subsequent  failures,  and  ir.  the  case  of  comparison  monitoring, 
may  even  reduce  coverage  in  other  channels  as  well.  Nevertheless, 
the  assumptions  do  not  appear  to  be  unreasonable  in  the  context 
of  the  present  study. 

"n  this  section  specific  attention  will  be  focused  on  the 
last  assumption  above.  Failures  which  affect  two  or  more 
channels  of  a redundant  system  care  classified  as  either  common 
mode  failures  or  single  point  failures.  The  latter  type  o7^ 
failure  includes  failures  of  primary  actuators,  control  links, 
power  supplies,  design  defects  or  single  point  software  failures. 
Common  mode  failures  are  caused  by  an  environment  which  causes 
two  or  more  channels  to  behave  as  though  effected  by  a single 
point  failure.  Typical  causes  of  common  mode  failures  are  an 
excessively  noisy  environment-  EMI,  power  transients,  avalanching 
in  signal  selection  devices  or  synchronization  lock. 


4 


297 


1,  single  Point  Failures 

It  is  clear  that  the  probability  of  a single  point 
failure  of  any  kind  must  be  consistent  with  the  reliability  goals 
of  the  system.  In  particular,  the  probability  of  a single  point 
failure  per  flight  hour  must  be  considerably  less  than  3.0  x 10**^ 
for  a fighter  aircraft  and  0.23  x 10“®  for  a commercial  transport. 
As  a consequence,  the  probability  of  a software  single  point 
failure  must  be  a fraction  of  the  total  probability  of  a single 
point  failure.  To  fix  upon  a number  it  is  not  unreasonable  to 
assume  that  the  probability  per  flight  hour  of  a software  single 
point  failure  should  be  less  than  0.3  x 10“^  for  a fighter  and 
0.023  X 10“®  for  a transport,  if  the  system  does  not  provide  for 
dissimilar  channels.  Unlike  conventional  single  point  failure 
rates,  which  are  determined  by  equipment  failures,  software 
single  point  failure  and  their  probabilities  of  occurrence  are 
determined  by  the  environment;  i.e.,  the  event  of  assuming  a 
certain  state  or  exercising  a certain  transition  path.  Because 
it  is  not  practicable  to  exercise  all  possible  states  and  trans- 
ition paths  software  verification  procedures  can  be  extremely 
costly  and  time  consuming.  The  large  number  of  possible  states 
makes  it  unlikely  that  software  verification  can  be  accomplished 
by  a deterministic  test  algorithm  alone.  Some  form  of  random 
selection  appears  to  be  required.  The  development  of  such  pro- 
cedures for  the  flight  control  application  is  an  area  for  future 
effort, 

2.  Examples  of  Single  Point  and  Common  Mode  Failures 


While  the  major  sources  of  single  point  and  common 
mode  failures  of  conventional  analog  systems  are  well  known,  the 
sources  in  a digital  control  system  are  perhaps  less  familiar. 

In  any  case  they  are  certainly  different  and,  as  a consequence, 
some  examples  of  typical  failures  will  be  given.  The  list  of 
course,  is  by  no  means  exhaustive  and  is  supplied  merely  to 
illustrate  the  possibilities: 

a.  An  oversight  by  the  progreunmer  which,  under  certain 
remote  conditions,  causes  the  system  to  behave  in  an  unpredict- 
able manner. 

b.  A typical  operation  of  a whole  word  computer  is  the 
negation  of  a numerical  quantity.  This  is  usually  accomplished 
by  taking  the  2's  complement.  However,  the  2's  complement  of  the 
most  negative  number  is  the  most  negative  number  Thus,  if  the 
programmer  inadvertently  takes  the  2*s  complement  of  -1  the 
result  could  be  a hardover  into  all  channels. 


298 


c.  A similar  result  is  obtained  if  an  arithmetic  register 
overflows,  and  the  overflow  is  not  compensated  for.  An  overflow 
could  result  in  an  effective  hardover  into  all  channels. 

d.  Division  by  zero. 

e.  Division  when  the  dividend  and  divisor  are  equal.  In 
some  division  algorithms  the  remainder  will  assume  an  erroneous 
value. 


f.  Multiplication  may  require  that  the  multiplicand  be 
located  in  an  even  numbered  arithmetic  register.  While  violation 
of  this  rule  is  detected  in  the  Assembler,  it  may  happen  that, 
due  either  to  a manual  insertion  of  an  instruction  or  a power 
transient  which  causes  the  program  register  to  assume  a random 
value,  the  condition  is  violated.  It  has  been  observed  that  if 
the  multiplicand  and  multiplier  are  in  odd  numbered  registers 
the  microgrcun  goes  into  a "D0"  loop  from  which  there  is  no  re- 
covery except  by  removing  power  and  then  reengaging  the  system. 

The  "D0"  loop  is  not  interrupted  even  by  the  normal  external 
interrupt  because  the  "D0"  is  contained  entirely  within  a single 
micro  instruction. 

g.  When  program  synchronizing  two  or  more  computers  via  bi- 
directional intercomputer  links  it  is  possible  for  the  computers 
to  continually  attempt  synchronization  without  actually  being 
able  to  do  so.  This  condition  could  result  in  the  cessation  of 
all  computations. 

h.  A power  transient  or  excessive  noise  could  result  in 
loss  of  bits  in  transit  on  an  internal  computer  bus.  If  the 
bits  represented  an  address  to  the  Program  Register  the  result 
would  be  unpredictable  since  the  computer  would  interpret  an 
arbitrary  data  word  as  an  instruction.  The  proper  instruction 
sequence  is  recoverable  upon  reception  of  the  next  external 
interrupt  which  causes  the  computer  to  execute  a predetermined 
instruction.  However,  variable  storage,  such  as  integrators, 
would  not  be  recoverable.  One  solution  is  to  reinitialize  the 
entire  set  of  variable  storage.  The  resultant  hiatus  in  the 
computations  could  have  serious  consequences  to  the  safety  of 
the  airplane. 

1.  Intercomputer  links,  and  particularly  bi-directional 
links,  could  fail  under  "hot  short"  or  other  line  transient  con- 
ditions. In  this  event  and  because  the  links  are  eventually 
gated  onto  the  memory  busses,  the  affected  computers  could  be 
seriously  damaged. 


299 


It  is  emphasized  that  the  above  failure  conditions  may  be 
computer  dependent  and,  in  most  cases,  represent  careless  pro- 
gramming. In  any  case,  once  a failure  condition  *s  identifi^ 
steps  can  be  taken  to  either  elimimite  it  or  minimize  its  e^^ects. 
Unfortunately,  it  is  the  unidentified  conditions  that  will  cause 
the  major  problems. 


i 


( 


300 


APPENDIX  X 


TEST  VALIDATION  CONSIDERATIONS 


From  the  results  of  the  tradeoff  studies  it  may  be  concluded 
that  test  coverage  ic  a critical  parameter  in  determining  flight 
safety  reliability  of  a redundant  system.  ' While  test  coverage 
requirements  will  vary  considerably,  depending  upon  the  ccnfig- 
uzation,  values  between  0.99  and  0.999  can  reasonably  be  expected. 
Compromising  between  these  extremes  we  will  select  0.995  as  a 
tentative  goal  for  purposes  of  this  discussion.  Having  estab- 
lished the  coverage  required  it  remains  to  determine  the  coverage 
actually  achieved. 

1 . Validation  Procedure 

Assume  that  a test  procedure  has  been  devised  for  an 
LRU.  The-  validation  procedure  will  consist  of  the  following 
steps : 

Step  1 

Enumerate  all  component  failures  of  the  LRU  (Ignore, 
for  the  moment,  the  feasibility  of  Identifying  all  f/iilures). 

Step  2 

Enumerate  relative  failure  rates  of  all  component 

failures. 

Step  3 


Simulate  component  failures  at  random;  l.e.,  according 
to  their  relative  frequency  of  occurrence. 

Step  4 

Tabulate  the  number  of  failures  detected  and  compute 
the  ratio  SN/N  where 

Sj^  > number  of  failures  detected 

N > number  of  failures  simulated 

Since  o « PlAjF),  we  naturallv  expect  that  SN/N  will  approximate 
the  unknown  coverage,  1-  o . 


301 


Each  simulated  failure  is  interpreted  as  a Bernoulli  trial 
with  probability  of  success  equal  to  1 - a . Let  it  be  desired 
to  estimate  l-owith  an  accuracy  of  e ; i.e.,  N is  chosen  so 
large  that 


Unfortunately  no  sample  size  can  give  absolute  assurance  that 
Sjg/N  satisfies  (X-1).  Since  absolute  certainty  is  unattainable 
we  settle  for  an  arbitrary  confidence  level,  X , and  only  require 
that  N be  large  enough  to  insure  that 


P 


N 


€ S 1 -a 


^ X. 


(X-2) 


The  number  of  trials  necessary  to  insure  the  inequality  of  (X-2) 
depends  upon  the  three  parameters  e , X and  1- a . 


Accuracy,  ^ 

Since  it  is  desirable  to  be  able  to  distinguish  between 
a coverage  of  ,99  and  .999  the  accuracy  must,  as  a minimum, 
satisfy  the  inequality 

« s 0.005. 


This  requirement  Imposes  an  additional  requirement  on  the  degree 
of  ignorance  regarding  the  known  failures  of  the, LRU;  i.e,,  if 

M = total  number  of  failures  of  the  device  (assumed 
to  be  equiprobable) 

m « total  known  failures  (also  assumed  to  be 
equiprobable) 


then 


m 

Thus,  for  “ ,005  * 1/200,  at  least  199  of  every  200  failures 
of  the  device  must  be  known  in  order  to  generate  a failure*  model 
which  is  consistent  with  the  accuracy  requirement  of  the  valida- 
tion program. 


302 


Confidence  Levels  X 


For  repeatability  of  the  validation  experiment  the  con- 
fidence level  should  be  approximately  unity.  However,  the  cost 
of  high  confidence  can  be  considerable  in  terms  or  the  number 
of  simulated  failures  which  are  required.  As  a consequence, 
some  compromise  is  desirable.  It  is  proposed  to  use  a confidence 
level  of  90%  (i.e.,  x ^ .9)  which  yields  a reasonable  repeat- 
ability but,  as  will  be  seen  does  not  result  in  an  excessive 
number  of  trials. 


Test  Coverage,  1-a 

Although  the  purpose  of  the  validation  program  is  to 
establish  the  value  of  1- a , it  may  happen  that  the  test  coverage 
is  known,  a priori,  to  exceed  a known  value.  This  is  not  an 
unreasonable  expectation  since  the  test  was  presumably  devised 
to  detect  a certain  minimal  set  of  failures.  Since  values  of 
1- a between  .8  and  .95  are  relatively  easy  to  establish  we  may 
assume  that  1-  a >.95.  This  will  reduce  the  number  of  simulated 
failures  required. 


Sample  Size 

Returning  now  to  the  Bernoulli  trials,  the  probability 
that  the  number  of  successes,  Sjj,  lies  between  and  K2  is  given 
by 

Kz 

= L 

j=^l 

where  1-  is  the  probability  of  success;  i.e.,  of  a detected 
failure. 


p(Kj.Sn^k^ 


N 

j 


(X-3) 


If  K<|  and  K2  arc  selected  such  that 


and 

then 


K,  = 0 


= N(  I -a+€  ) 


=P 


Sn 

N 


€ £ 1 -O' 


(X-4) 


i 


< 


303 


which  corresponds  to  the  left  side  of  inequality  (X-2).  Un- 
fortunately the  right  side  of  (X-3)  is  difficult  to  evaluate  when 
N is  large.  For  this  purpose  we  use  the 


DeMoivre-Laplace  Theorem: 

/Kj-N(I-a)  - .5 
N a ( 1-a) 

when 

<l>  { z)  = -i-  [*2  exp 

wOD 

and  ” ” means  that  the  ratio  of  the  two  sides  of  (X-5)  tends 

to  unity  as  N tends  to  <«  . 


K2-N(  1-«)  + .5 
v/  N a ( 1-a) 


Substituting  and  K2  of (X-4)  into (X-5) yields 


P S 


N - t 5 

jT 


‘■J 


(X-6) 


4)  / N«  + . 5 \ 

- <!» 

/-N  ( 1-a)  - . 5 

V^a(l-a)/ 

[yNa(l-a) 

The  right  side  of  (X-6)  is  substituted  into. (X-2)  and  the  number 
of  samples,  N,  is  evaluated  as  a function  of  xand  1-a  . The 
result  is  shown  in  Figure  X-1.  where  X is  plotted  versus  N for 
several  values  of  1-«with  an  accuracy  of  .005.  It  it  is  known, 
a priori , that 


(X-5) 


1-a  i .95 


then  the  number  of  simulated  failures  required  for  a 90X  con- 
fidence in  3000,  approximately. 

2.  S’unmary 

From  the  preceding  discussion  and  seunple  computation  it 
can  be  seen  that  validating  a test  coverage  goal  exceeding  0.S95 
may  require  a comprehensive  failure  model  and  the  capability  of 
simulating  large  numbers  of  failures.  The  failure  model  must  be 
consistent  with  the  accuracy  requirement  of  the  validation  pro- 
gram which  means  that  the  unknown  failures  may  not  exceed  1/200 
of  the  total  failures  of  the  device.  As  pointed  out  in  Appendix 
VII,  simulating  non-destructive  failures  of  digital  devices  can 
present  considerable  difficulties  particularly  when  such  failures 
affect  Internal  states  or  transition  paths. 


304 


APPENDIX  XI 


SYNCHRONIZATION  REQUIREMENTS  FOR  REDUNDANT 
DIGITAL  FLIGHT  CONTROL  SYSTEMS 


1 , General 

Rather  than  presenting  particular  schemes  for  synchron- 
izing digital  computers,  this  discussion  will  attempt  to  determine 
what  unique  factors  of  digital  implenentation  dictate  the  degree 
of  synchronization  required.  Motivation  for  this  review  is  based 
on  the  fact  that  traditional  redundant  systems  have  been  designed 
without  a general  synchronization  scheme. 

By  way  of  defining  terms,  synchronization  will  be  con- 
sidered to  mean  (near)  simultaneous  occurrence  of  similar  events 
in  each  of  the  redundant  channels.  This  can  range  from  seunpling 
a particular  input  variable;  e.g.,  servo  follow-up,  at  the  same 
time  in  each  redundant  channel  up  to  having  each  micro-program 
step  in  each  redundant  computer  occur  at  the  same  time. 

2.  Passive  Redundant  Configuration 

Figure  XI- 1 shows  an  elementary  triple  redundant  con- 
figuration with  no  cross  strapping  of  intermediate  variables.  It 
is  assumed  that  the  output  variables  command  servos  whose  outputs 
add  on  a channel  basis  to  control  the  aircraft.  This  type  of 
redundance  has  been  called  "passive*  since  failures  are  not 
actively  detected  nor  is  the  configuration  altered  as  a function 
of  a failure.  The  effect  of  a failed  channel  would  be  a 33)(  loss 
of  authority  and  gain  for  a passive  failure,  and  in  addition  a 
33X  offset  for  a hardover  failure.  For  this  configuration  the 
outputs  (non-failed  state)  would  be  a control  law  modified  form 
of  the  inputs  distorted  by  four  factors: 

a.  transport  lag  as  a function  of  the  iteration  rate  and 
algorithm 

b.  input  noise  as  modified  by  input  filtering  and  folding 
effects 

c.  output  ripple  due  to  non-infinite  iteration  rate  and 
large  rate  of  output  change 

d.  computer  errors. 


306 


3 


Transport  lag  is  nost  evident  when  the  input  changes 
immediately  after  the  data  is  input  to  the  computer  so  that  the 
input  change  cannot  affect  the  output  until  the  next  iteration. 
When  the  inputs  are  synchronized  between  the  three  redundant 
channels  then  the  net  output  will  suffer  an  average  transport 
lag.  If  the  three  channels  are  asynchronous,  then  the  average 
transport  lag  will  be  the  same.  Thus,  the  net  output  information 
will  be  as  fresh  on  the  average  for  the  asynchronous  as  for  the 
synchronous  case. 

The  effect  of  input  noise  folding  will  depend  on  the 
degree  of  synchronizing  the  data  input  events.  For  example, 
assume  that  the  three  input  signals  of  a given  type,  three  pitch 
rate  signals,  contain  in**phase  noise  components  (such  as  power 
supply  frequency)  near  a multiple  of  the  sampling  frequency. 

This  will  fold  down  to  give  an  output  noise  component  at  the 
difference  frequency,  the  £unplitude  of  which  will  be  largest 
when  the  data  input  events  are  synchronized  and,  in  general, 
smaller  when  they  are  not  synchronized.  Of  course,  this  noise 
effect  wouM  have  to  be  made  small  in  any  case  by  suitable  pre- 
filtering  so  it  is  not  considered  significant  in  any  case.  Out- 
put ripple  will  be  a function  of  synchronizing  the  output  event, 
the  worst  case  (largest  ripple)  being  when  synchronized  and  the 
best  when  phased  1/3  sampling  Interval  apart.  Obviously,  if 
considered  of  significance,  one  could  synchronize  the  output 
events  so  that  they  always  occur  1/3  seunpling  interval  apart. 

In  any  event,  suitable  choice  of  iteration  rate  and  post  filter- 
ing can  reduce  this  ripple  to  small  enough  values  so  that  this 
effect  Is  not  considered  of  significance. 

The  effects  of  computer  errors  such  as  truncation  and 
round-off  on  control  system  performance  has  not  been  extensively 
studied,  to  our  )cnowledge.  Accordingly,  the  effect  of  the  degree 
of  synchronization  on  these  errors  would  be  difficult  to  estab- 
lish. However,  one  truncation  error  problem  that  has  been  identi- 
fied is  that  associated  with  integration  and  lag  filter  functions 
that  are  slow  compared  to  the  iteration  rate.  In  such  cases  a 
dead  space  effect  can  be  observed  when  the  increment  per  iteration 
required  is  less  than  the  least  significant  bit  of  the  data  word. 
In  applications  where  this  dead  space  is  of  significance,  the 
effect  can  be  made  negligible  by  a simple  double  precision  oper> 
ation.  Therefore,  at  least  in  this  case,  the  question  of  syn- 
chronization is  not  affected.  Therefo;i.«. , the  "passive"  re- 
dundant configuration  as  outlined  here  does  not  have  <any 
significant  need  for  synchronization  of  any  type. 


308 


3.  Analog  Output  Voting 

Although  the  "passive"  redundant  configuration  is  con- 
ceptually simple  there  are  several  objections  to  it,  the  most 
important  being  the  sensitivity  to  a hardover  failure  and  the 
change  in  gain  after  failure.  Th^se  difficulties  can  be  obviated 
by  "voting"  the  output  signals;  i.e.,  by  selecting  a good  signal 
for  transmission  downstream.  There  are  many  such  signal  selec- 
tion schemes  available  for  both  analog  and  digital  formats.  If 
analog  voters  are  used  for  the  output  signals,  the  system  can  be 
made  relatively  insensitive  to  first  failures  that  occur  upstream 
of  the  voter  and  the  system  characteristics  are  independent  of 
synchronization  except  for  the  noise  effects  mentioned  previously. 

4 , Input  Signal  Comparison 

It  is  desirable  to  have  the  ability  to  compare  redun- 
dant input  signals  for  failure  detection  and  for  signal  selection 
purposes.  Equivalent  signals  must  be  compared  more  or  less  simul- 
taneously depending  on  the  comparison  accuracy  required  for  the 
particular  signal.  This  is  so  whether  the  comparison  is  accom- 
plished by  the  digital  computer  or  with  dedicated  hardware.  How- 
ever, when  using  differential  amplifiers  for  comparison  monitors, 
their  speed  of  response  is  so  rapid  that  for  control  signal  fre- 
quencies the  comparison  is  essentially  simultaneous.  However, 
if  the  comparison  is  done  in  the  digital  computer (s),  non- 
simultaneous  sampling  will  cause  an  error  in  the  comparison  which 
could  be  significant. 

A comparator  error  due  to  sampl:ng  delay  equivalent  to 
1^  of  full  scale  signal  would  probably  be  acceptable  in  most 
cases.  Assuming  an  input  rate  of  zero  to  full  scale  signal  in 
ne  second,  then  the  sampling  delay  between  two  signals  to  be 
compared  should  be  less  than  10  milliseconds. 

When  the  comparisons  are  done  in  computer  software,  the 
redundant  signals  must  be  entered  into  the  computers.  Two  methods 
of  entering  such  data  are  shown  in  Figure  2.  In  the  first  method 
all  redundant  signal  sets  are  sequentially  converted  and  entered 
into  each  computer  whereas  in  the  second  method  intercomputer 
buses  transfer  the  necessary  data  on  a digital  basis. 

Considering  the  first  method,  the  worst  case  lag  be- 
ween  any  two  compared  signals  will  be  twice  the  conversion  time 
or  about  60^8.  This  will  be  the  only  delay  of  concern  if  there 
is  assurance  that  the  comparisons  are  not  made  between  new  and 
stale  data;  i.e,,  that  the  comparison  routine  is  not  run  in  the 
time  period  that  the  signals  to  be  compared  are  being  refreshed. 


309 


This  assurance  is  readily  provided  by  proper  pro- 
granuning  when  the  input  multiplexers  and  converters  are  progrcun 
controlled.  However,  when  the  input  section  is  independently 
controlled,  and  particularly  when  DMA  is  used,  this  assurance  is 
more  difficult  to  provide.  One  method  that  has  been  suggested  is 
to  assign  a flag  bit  in  each  converted  word  so  that  flag  bit 
status  indicates  common;  i.e.,  adjacent,  S2unpling. 

For  the  second  input  method  indicated  in  Figure  XI-2, 
the  problem  is  more  difficult.  If  the  input  multiplexers,-  A/D 
converters  and  computers  are  all  asynchronous,  then  the  relative 
freshness  of  data  being  compared  is  a function  of  the  basic  re- 
fresh rates.  As  an  example  consider  an  autopilot  having  twenty 
input  control  signals.  At  30  m s per  conversion,  the  maximum 
staleness  at  the  converter  output  would  be  600  ms.  If  the  inputs 
are  DMA'd  into  one  computer  and  then  DMA'd  out  to  the  other  com- 
puters then  only  a few  additional  microseconds  of  staleness  would 
be  added.  Thus,  in  each  computers  comparisons  will  be  made  of 
data  that  is  at  most  600  ms  late  which  is  considerably  less  than 
the  10  ms.  allowed. 

However,  in  method  2 if  the  conversions  and  data  com- 
munications are  under  program  control,  then  either  the  progreuns 
in  each  computer  must  be  synchronized  to  better  than  10  ms  or 
else  the  conversions  and  data  communications  must  be  iterated  at 
least  100  times  per  second. 

5.  Output  Signal  Comparisons 

Comparisons  of  redundant  computers  outputs  are  useful 
for  '/Oth  failure  detection  and  voting.  If  the  computers  have 
identical  inputs  and  are  fully  synchronous  then  with  no  failures 
the  computer  outputs  will  be  identical  at  every  instant.  Even  if 
the  computers  are  "clock  synchronized"  if  the  input  data  are  not 
identical  then  due  to  conditional  branches  in  the  program,  the 
programs  may  not  be  synchronous  and  the  outputs  may  not  be  ident- 
ical. If  the  input  data  are  identical  but  the  computers  are 
asynchronous, then  the  outputs  will  be  identical  but  delayed  by  up 
to  one  iteration  time. 

Therefore,  there  are  two  problems  to  be  considered; 

a.  grossly  different  outputs  due  to  differences  in  the 
operating  programs  caused  by  conditional  branching  when  using 
nonidentical  input  data 

b.  timing  differences  in  the  outputs  caused  by  asynch- 
ronous computer  operations  resulting  in  delays  of  up  to  one 
iteration  cycle. 


m 


310 


The  first  problem  is  not  unique  to  digital  systems; 
it  also  occurs  in  2malog  systems.  A good  exeunple  of  this  is  the 
transition  from  glide  slope  track  to  flare  modes  in  an  autoland 
system.  This  transition  is  normally  a function  of  altitude  and 
altitude  rate  signals.  Due  to  tolerances  in  the  redundant  sig» 
nal  sources  the  cheumels  will  not  switch  to  flare  at  the  same 
time  so  that  one  channel  is  calling  for  the  flare  maneuver  while 
the  other  channels  are  attempting  to  track  the  glide  slope  beam. 

As  a result  the  output  comparators  will  alarm.  Solutions  to  this 
are  either  to  equalize  the  signals  prior  to  the  signal  switch  or 
else  to  design  the  switching  logic  so  that  all  redundant  signals 
have  to  be  below  the  critical  value  before  the  mode  is  initiated. 
These  solutions  are  applicable  to  the  digital  system  but  their 
implementation  requires  th^t  internally  generated  variables  or 
logic  states  be  communicated  between  the  computers.  If  this 
communication  link  uses  DMA  or  interrupt  then  the  computers  can 
be  asynchronous  since  both  computers  need  not  be  simultaneously 
at  particular  points  in  their  programs.  However,  if  both  recep- 
tion and  transmission  of  data  is  under  program  control  then 
synchronization  is  required  so  that  when  one  computer  transmits, 
the  other  receives. 

The  second  problem;  i.e.,  timing  differences  between 
redundant  outputs,  involves  the  desired  speed  of  comparator 
response,  the  desired  comparator  threshold,  the  basic  iteration 
rate  and  the  maximum  required  output  rate.  Assuming  the  values 
used  in  section  4,  comparator  threshold  of  IX  of  full  scale  and 
maximum  rate  of  zero  to  full  tcale  in  one  second,  then  the  maxi- 
mum increment  per  iteration  will  be  (PS) /I  (where  I is  the  itera- 
tion rate) . This  will  also  be  the  comparator  error  for  the  worst 
case  computer  delay  of  one  iteration.  If  the  input  data  in  each 
computer  is  identical  then  the  output  values  will  be  identical 
for  no  failure  so  that  the  delay  error  is  the  only  error.  There- 
fore, for  instantaneous  comparison  the  delay  error  must  be  less 
than  the  comparator  threshold  in  order  to  have  no  nuisance  alarm; 
i.e.,  (PS)/I  S .01  (FS)  or  1 i 100  iterations  per  second.  If  the 
input  data  into  each  computer  is  not  identical  then  there  will  be 
comparator  errors  due  to  tolerances  between  input  data  sources. 

If  arbitrarily  one  half  of  the  allowable  error  is  assigned  to 
these  sources  and  the  other  one  half  to  output  delay  then  1 ^ 200 
iterations  per  second  would  be  needed. 

However,  it  is  questionable  that  instantaneous  output 
comparison  is  really  necessary  and  that  some  type  of  delayed 
comparison  would  not  be  sufficient.  As  an  csxample,  suppose  that 
"B"  computer  leads  the  "A"  computer.  Then  the  "A"  comparison  done 
immediately  after  the  "A"  update  will  be  correct.  If  "B"  lags 
"A"  then  the  "A"  comparison  done  before  the  "A"  update  is  correct. 


312 


Therefore,  if  no  failure  exists  then  the  smaller  of  these  two 
comparisons  is  correct.  If  the  incremental  output  per  iteration 
can  be  larger  than  the  desired  failure  detection  threshold,  then 
failure  logic  requiring  that  both  comparisons  exceed  the  threshold 
would  be  used. 

However,  for  step  failures  there  could  be  an  alarm 
delay  equivalent  to  one  Iteration  time.  It  is  desirable  to  make 
the  alarm  delay  as  short  as  possible  but  this  is  at  the  expense 
of  increased  iteration  rate.  How  large  the  alarm  delay  may  be  is 
a function  of  the  aircraft  sensitivity  and  response  character- 
istics of  the  servos.  If  the  seirvo  redundancy  is  such  that  the 
servo  is  insensitive  to  command  failures,  then  relatively  large 
alarm  delays  would  be  acceptable  since  the  main  purpose  would  be 
to  alert  the  pilot.  If  the  servos  respond  to  the  failure  and  the 
alarm  is  to  be  used  to  disconnect  the  failed  computer,  then  the 
alarm  delay  should  be  shorter  to  reduce  the  amount  of  servo 
motion  and  resultant  aircraft  transient  due  to  the  failure.  In 
that  case,  an  alarm  delay  of  50  to  100  ms  would  be  appropriate. 

As  an  example,  for  an  aircraft  having  1 deg/g  sensitivity  and 
3 rad/sec.  second  order  response,  and  a servo  with  slew  rate  of 
40  deg/sec.,  a disengage  delay  of  100  ms  would  meet  the  normal 
.1  g transient  requirement. 

6,  Conjlusions 


The  question  of  synchronization  arises  where  there  is 
communication  between  computers.  Communication  which  is  program 
controlled  requires  synchronization  at  least  on  a program  basis. 
Communications  which  are  independently  controlled  do  not  require 
synchronization  since  the  refresh  rates  for  typical  flight  con- 
trol applications  can  be  made  high  enough  to  make  relative  errors 
negligible. 


The  major  area  where  synchronization  might  be  desirable 
is  where  variables  computed  in  each  redundant  computer  are  to  be 
compared.  If  these  comparisons  must  be  made  and  action  taken 
very  rapidly  (on  the  order  of  10  ms),  then  some  type  of  synchro- 
nization would  be  preferable  to  an  increase  in  the  basic  itera- 
tion rate  to  values  higher  than  would  otherwise  be  necessary. 


313 


APPENDIX  XII 


ANALOG  INNER  LOOPS/DIGITAL  OUTER  LOOPS 


General  Observations 

1.  In  the  ccittext  of  supplying  an  autopilot  coiranand,  the  digi- 
tal computer  can  be  treated  as  any  other  sensor  with  a rela- 
tively high  failure  rate.  Because  its  failure  rate  will  be 
approximately  equal  to  the  failure  rate  of  the  inner  loop, 
cross  strapping  between  the  digital  computer  and  the  inner 
loop  is  desirable. 

2.  The  signal  interface  between  the  digital  outer  loop  and  the 
analog  inner  loop  presents  no  unusual  problems. 

3.  Because  of  its  computational  flexibility  the  digital  com- 
puters can  compensate  for  undesirable  feedback  in  the  inner 
loop.  For  ex£ur.ple,  the  autopilot  command,  as  supplied  by 
the  digital  computer,  may  cancel  the  stick  command  and 
acceleration  feedback  or  effectively  increase  rate  feedback 
in  a particular  mode  of  flight.  Obviously,  stick  force, 
rate  and  acceleration  sensors  must  be  accessible  to  the 
digital  computer  in  order  to  achieve  this  compensation. 

4.  Variable  authority  limits  can  be  computed  in  the  digital 
computer  and  the  autopilot  command  computed  accordingly. 
However,  in  the  event  of  a failure  of  the  digital  computer, 
the  computed  limit  must  be  superseded  by  a slightly  higher 
limit  contained  in  the  inner  Iqop. 

5.  Easy  on,  easy  off  and  synchronization  functions  of  the  auto- 
pilot commands  are  computed  in  the  digital  computer— thus 
eliminating  the  need  for  dedicated  circuitry  in  the  inner 
loop. 

b.  Care  must  be  taken  to  prevent  an  inner  loop  channel  from 
disengaging  in  the  event  of  a digital  computer  failure. 

For  example,  in  a triplex  system  with  three  digital  computer 
outer  loops,  if  each  computer  supplies  a dedicated  auto- 
pilot command  to  an  inner  loop,  a failure  of  a digital  com- 
puter could  result  in  disengagement  of  the  inner  loop  chan- 
nel, This  situation  could  occur  if  the  inner  loop  monitor- 
ing detects  a difference  between  the  servo  commands  before 
the  autopilot  failure  is  detected.  This  is  an  extremely 
undesirable  situation  because  it  significantly  reduces  the 


314 


reliability  of  the  inner  loops.  Assuming  that  the  inner 
loop  monitoring  must  be  rapid  in  order  to  reduce  undesir- 
able failure  transients  it  appears  that  the  solution  is 
(1)  to  supply  the  same  (or  effectively  the  same)  autopilot 
conmiand  to  all  inner  loops  or  (2)  monitor,  isolate  and  dis- 
engage autopilot  command  failures  before  the  failure  is 
detected  by  inner  loop  monitoring.  In  this  latter  strategy, 
however,  an  alternate  autopilot  command  must  be  available; 
otherwise  an  imbalance  will  develop  between  inner  loops 
causing  either  a disengagement  or  a reduction  in  servo 
authority.  In  summary, 

(a)  each  inner  loop  must  receive  effectively  the  same  < 

autopilot  command  and 

(b)  alternate  autopilot  commands  must  be  provided  if  high 
reliability  of  the  autopilot  is  required  without  per- 
formance degradation. 

7,  All  autopilot  commands  should  be  authority  limited.*  The 
authority  limit  may  be  varied  as  a function  of  g's,  dyna- 
mic pressure,  airspeed,  trim,  etc.  If  the  authority  limit 
(for  safety)  is  compatible  with  autopilot  performance,  then 
outer  loop  monitoring  may  be  performed  by  the  digital  com- 
puters which  may  either  disengage  one  autopilot  command  or 
annunciate  the  failure  at  the  control  panel  for  manual  dis- 
engagement by  the  pilot.  In  any  case,  the  outer  loop 
authority  limit  which  should  preferably  be  located  in  the 
inner  loop  is  sufficient  protection  against  failure.  In 
the  critical  case,  however,  the  authority  limit  is  not 
compatible  with  autopilot  performance.  In  this  event  the 
inner  loops  should  be  provided  with  the  means  of  detecting 
autopilot  failures.  While  it  is  possible,  in  principle,  to 
monitor  the  outer  loops  external  to  the  inner  loops,  it  is 
desirable  for  Bit  to  concentrate  all  ..  *>nitoring  in  the  inner 
loops. 

8.  In  order  to  reduce  the  effect  of  autopilot  disengagement 
transients  due  to  failures  of  the  outer  loops  it  is  desirable 
to  include  a fade-out  circuit  in  the  inner  loop.  This  cir- 
cuit could  be  a simple  lag  filter.  The  undesirable  lag 
effects  can  be  compensated  for  in  the  digital  computer  for 
normal  operation. 


* By  authority  limit  we  mean  rate  and  amplitude  of  signal. 


315 


9.  Digital  computers  can  be  used  for  Bite  signal  generation  and 
testing.  When  used  for  this  purpose,  at  least  one  digital 
computer  must  be  operational  before  each  flight. 

Conf igurations 

Several  outer  loop/inrer  loop  configurations  are  presented  for 
consideration.  It  is  emphasized  that  our  objective  is  to  prevent 
alternatives  rather  than  recommendations.  For  simplicity  it  is 
assumed  that  the  inner  loop  (FBW)  is  a triplex  arrangement. 

Figure  XI 1-1 

In  this  arrangement  a single  digital  computer  supplies  the  auto- 
pilot commands  to  all  axes.  Implicit  in  this  configuration  is  the 
assumption  that  the  authority  limit  is  compatible  with  autopilot 
performance.  The  failure  rate  of  the  autopilot  is  at  least  as 
great  as  that  of  the  digital  computer;  e.g.,  120  x 10“6  failure 
per  hour.  If  autopilot  sensors  are  not  cross-strapped,  the  fail- 
ure rate  could  be  considerably  worse.  With  a single  digital  com- 
puter, a single  computer  failure  could  resu.t  in  a hardover  to 
all  axep. 

Figure  XII-2 

In  this  configuration  two  digital  computers  supply  a single  auto- 
pilot command  to  all  axes  and  all  channels.  The  authority  limit 
is  presumed  to  be  compatible  with  performance.  Selection  of  one 
of  the  two  available  autopilot  commands  is  performed  by  the  pilot, 
assisted  by  comparison  monitoring  between  computers  followed  by 
computer  self  tent  in  the  event  of  a comparison  difference.  This 
arrangement  results  in  a considerable  improvement  in  outer  loop 
availability. 

Figure  XII-3 

In  this  arrangement  two  digital  computers  supply  two  separate 
autopilot  commands  for  all  axes  and  all  channels.  The  two  auto- 
pilot commands  are  compared  in  each  inner  loop  channel.  Detected 
failures  result  in  rapid  autopilot  disengagement.  While  some 
authority  limit  is  provided,  it  is  assumed  that  the  safety  limit 
is  net  compatible  with  autopilot  performance.  Reliability  and 
availability  of  the  autopilot  is  considerably  worse  than  that  of 
a single  computer  as  in  Figure  1,  since  loss  of  one  of  two  com- 
puters will  result  in  loss  of  the  outer  loop. 


Figure  XII-4 

In  this  configuration  there  are  three  digital  computers,  each 
supplying  the  autopilot  comm^md  for  all  axes  and  all  channels. 
Command  selection  and  monitoring  is  performed  in  the  inner  loops. 
It  is  assumed  that  selection  and  failure  monitoring  of  autopilot 
sensors,  if  performed  by  the  digital  C(xnputers,  is  compatible 
with  safety  requirements  since  it  must  be  presumed  that  the 
authority  limit  is  not  compatible  with  autopilot  performance. 


318 


SINGLE  DIGITAL  OUTER  LOOP 
FIGURE  XII-1 


FIGURE  XII 


320 


DUAL/FAIL  PASSIVE  DIGITAL  OUTER  LOOP 
FIGURE  XII-3 


FAIL  OPERATIONAL  TRIPLEX  DIGITAL  OUTER  LOOPS 

FIGURE  XII-4 


